diff --git a/ics-attack/attack-pattern/attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61.json b/ics-attack/attack-pattern/attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61.json index 2682c5f4f5..a1d1d38a69 100644 --- a/ics-attack/attack-pattern/attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61.json +++ b/ics-attack/attack-pattern/attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3b100192-8473-43da-9163-2af54ea28045", + "id": "bundle--392b27e2-1426-462f-8af7-ef1842904984", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,7 @@ "id": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, + "revoked": true, "external_references": [ { "source_name": "mitre-attack", @@ -29,7 +29,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-15T19:58:01.218Z", + "modified": "2026-04-20T20:58:37.791Z", "name": "Block Command Message", "description": "Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", "kill_chain_phases": [ @@ -40,7 +40,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8.json b/ics-attack/attack-pattern/attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8.json index 6291573b82..8b2e98310f 100644 --- a/ics-attack/attack-pattern/attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8.json +++ b/ics-attack/attack-pattern/attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--db059f6e-c51e-4d30-a497-89dd97c63544", + "id": "bundle--4420a5bb-5e76-45e8-92f3-f2d1d0fc7c7d", "spec_version": "2.0", "objects": [ { @@ -35,7 +35,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722.json b/ics-attack/attack-pattern/attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722.json index c86372559a..f01858f02b 100644 --- a/ics-attack/attack-pattern/attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722.json +++ b/ics-attack/attack-pattern/attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--511c1a9a-5d50-41f1-90f6-5484dd141e4c", + "id": "bundle--3aff9d1a-cdcd-4e4c-b679-fbbacebb53c2", "spec_version": "2.0", "objects": [ { @@ -30,7 +30,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243.json b/ics-attack/attack-pattern/attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243.json index 64485de03a..2ad6bf6d0f 100644 --- a/ics-attack/attack-pattern/attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243.json +++ b/ics-attack/attack-pattern/attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a07fda33-be7f-4b0e-b471-5f9aa83d88df", + "id": "bundle--e3868a29-3e0c-495b-98c8-e31d8c7d177a", "spec_version": "2.0", "objects": [ { @@ -35,7 +35,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72.json b/ics-attack/attack-pattern/attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72.json index 3caa9b7718..0dbfb9a0cc 100644 --- a/ics-attack/attack-pattern/attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72.json +++ b/ics-attack/attack-pattern/attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a1cc64ed-550c-4549-a810-bdd45171da08", + "id": "bundle--fa655f76-185f-4850-9b61-5e2469106d64", "spec_version": "2.0", "objects": [ { @@ -52,7 +52,6 @@ "ICSCoE Japan" ], "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36.json b/ics-attack/attack-pattern/attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36.json index db43856975..5e83905fdc 100644 --- a/ics-attack/attack-pattern/attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36.json +++ b/ics-attack/attack-pattern/attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5d1cd3e6-81ee-4517-a96d-9e47c5a5cb5f", + "id": "bundle--8acf0b5f-6171-41fd-b5e2-dfc7c8de1da9", "spec_version": "2.0", "objects": [ { @@ -45,7 +45,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9.json b/ics-attack/attack-pattern/attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9.json new file mode 100644 index 0000000000..fb36a985dc --- /dev/null +++ b/ics-attack/attack-pattern/attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--e570e62d-359b-44f1-9a0c-d71a2b9ad4e3", + "spec_version": "2.0", + "objects": [ + { + "type": "attack-pattern", + "id": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", + "created": "2026-04-20T20:54:16.029Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1691/001", + "external_id": "T1691.001" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + }, + { + "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", + "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T18:50:42.389Z", + "name": "Command Message", + "description": "Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)(Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--19a71d1e-6334-4233-8260-b749cae37953.json b/ics-attack/attack-pattern/attack-pattern--19a71d1e-6334-4233-8260-b749cae37953.json index 9f156272f0..e1ca09e8ad 100644 --- a/ics-attack/attack-pattern/attack-pattern--19a71d1e-6334-4233-8260-b749cae37953.json +++ b/ics-attack/attack-pattern/attack-pattern--19a71d1e-6334-4233-8260-b749cae37953.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a0edae38-b1be-49c1-aac0-e6203bac1275", + "id": "bundle--cfbc79f6-8189-4439-bded-67a2266ca62b", "spec_version": "2.0", "objects": [ { @@ -41,8 +41,7 @@ "None" ], "x_mitre_version": "1.0", - "revoked": false, - "x_mitre_detection": "" + "revoked": false } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1.json b/ics-attack/attack-pattern/attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1.json index c5fdbd3e8b..1789f24985 100644 --- a/ics-attack/attack-pattern/attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1.json +++ b/ics-attack/attack-pattern/attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b8c1ac95-32be-495e-8224-c779b3c6ac71", + "id": "bundle--9e4a8729-3b57-4fd5-b835-d0e1eebfe882", "spec_version": "2.0", "objects": [ { @@ -45,7 +45,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b.json b/ics-attack/attack-pattern/attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b.json index 15366e33e0..795a23c456 100644 --- a/ics-attack/attack-pattern/attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b.json +++ b/ics-attack/attack-pattern/attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fd9dc067-3b38-4d3b-bd61-f56b6cc40d77", + "id": "bundle--a438b9fc-6a06-4463-8d8e-f17a1703ad7d", "spec_version": "2.0", "objects": [ { @@ -50,7 +50,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60.json b/ics-attack/attack-pattern/attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60.json index 750ec95881..d960bf8b73 100644 --- a/ics-attack/attack-pattern/attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60.json +++ b/ics-attack/attack-pattern/attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e0070a8a-84a7-4f53-ad09-3d3257d58503", + "id": "bundle--fe8f8c52-2d90-4258-8301-012c9034f7ed", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,7 @@ "id": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, + "revoked": true, "external_references": [ { "source_name": "mitre-attack", @@ -19,7 +19,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:10.923Z", + "modified": "2026-04-20T20:58:51.323Z", "name": "Block Serial COM", "description": "Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages. \n\nA serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available -- 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at 10.0.0.1 via Telnet on serial port 1 with the following command: telnet 10.0.0.1 20001.", "kill_chain_phases": [ @@ -30,7 +30,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91.json b/ics-attack/attack-pattern/attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91.json index ae1556153e..4147d84fd5 100644 --- a/ics-attack/attack-pattern/attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91.json +++ b/ics-attack/attack-pattern/attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3596db84-c907-4de0-ba4b-315df759ebe0", + "id": "bundle--75c12133-ac56-4cf3-bb09-ef255f02bd49", "spec_version": "2.0", "objects": [ { @@ -45,7 +45,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80.json b/ics-attack/attack-pattern/attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80.json index d3382a6e29..8be36bd4bb 100644 --- a/ics-attack/attack-pattern/attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80.json +++ b/ics-attack/attack-pattern/attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2b8ae6cd-3e96-4544-9f58-61fc162fef11", + "id": "bundle--28b49a0f-7c68-4318-87ee-8b010f4611a2", "spec_version": "2.0", "objects": [ { @@ -29,7 +29,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c.json b/ics-attack/attack-pattern/attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c.json index 0db5497283..28c3c89526 100644 --- a/ics-attack/attack-pattern/attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c.json +++ b/ics-attack/attack-pattern/attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3c28048a-0464-476a-b722-165f7f608207", + "id": "bundle--84df1df6-0102-40b1-8dc0-e3fec7d69926", "spec_version": "2.0", "objects": [ { @@ -35,7 +35,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1.json b/ics-attack/attack-pattern/attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1.json index f053abb42e..050f29fba2 100644 --- a/ics-attack/attack-pattern/attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1.json +++ b/ics-attack/attack-pattern/attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c4211b9b-9d62-4372-b938-4b7d9630a35b", + "id": "bundle--d78cc6ea-97f3-44dd-ae29-df24d6d0cc08", "spec_version": "2.0", "objects": [ { @@ -38,7 +38,6 @@ "Jos Wetzels - Midnight Blue" ], "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9.json b/ics-attack/attack-pattern/attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9.json index 70eec30fba..2c97625289 100644 --- a/ics-attack/attack-pattern/attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9.json +++ b/ics-attack/attack-pattern/attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4355c76f-c13c-44c9-afe8-704e86945e02", + "id": "bundle--e456cd6c-6144-4270-aafa-d0695c331b7a", "spec_version": "2.0", "objects": [ { @@ -30,7 +30,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c.json b/ics-attack/attack-pattern/attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c.json index a8b11bfd68..773fdb8b3b 100644 --- a/ics-attack/attack-pattern/attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c.json +++ b/ics-attack/attack-pattern/attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f71161c9-4dda-4109-b5d0-32649d23f9a3", + "id": "bundle--852f2fa4-df16-4d17-8102-57091396464a", "spec_version": "2.0", "objects": [ { @@ -45,7 +45,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e.json b/ics-attack/attack-pattern/attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e.json index 6c15df9b91..4e40a5daca 100644 --- a/ics-attack/attack-pattern/attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e.json +++ b/ics-attack/attack-pattern/attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4a1385b1-475c-4963-a8fe-829b94439558", + "id": "bundle--b58e6c3b-56d2-403a-bc54-f0de15f53a7b", "spec_version": "2.0", "objects": [ { @@ -58,7 +58,6 @@ "Scott Dougherty" ], "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601.json b/ics-attack/attack-pattern/attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601.json index add831e903..e071e539c9 100644 --- a/ics-attack/attack-pattern/attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601.json +++ b/ics-attack/attack-pattern/attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fd150993-1119-4b68-b871-8db6f239e52b", + "id": "bundle--0bacf285-457b-4696-95d4-0c09bfd5f268", "spec_version": "2.0", "objects": [ { @@ -54,7 +54,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc.json b/ics-attack/attack-pattern/attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc.json index 8120776e4a..6b2c6071b8 100644 --- a/ics-attack/attack-pattern/attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc.json +++ b/ics-attack/attack-pattern/attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e6091ad9-6da6-445f-9bdd-135514b4386a", + "id": "bundle--ee4ab113-9a09-45fd-9949-93fc5c7874cb", "spec_version": "2.0", "objects": [ { @@ -39,7 +39,6 @@ "Jos Wetzels - Midnight Blue" ], "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a.json b/ics-attack/attack-pattern/attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a.json index a8c55264c6..48dc0a2854 100644 --- a/ics-attack/attack-pattern/attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a.json +++ b/ics-attack/attack-pattern/attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0498a7e3-24f2-435f-a022-2b981d0bc446", + "id": "bundle--0834f6ea-1da7-43b2-acd6-678ec7dd773f", "spec_version": "2.0", "objects": [ { @@ -50,7 +50,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163.json b/ics-attack/attack-pattern/attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163.json index d7b527ba6c..e1bedf8232 100644 --- a/ics-attack/attack-pattern/attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163.json +++ b/ics-attack/attack-pattern/attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--df038f55-e85e-473b-a7c2-68bcdff5b42c", + "id": "bundle--4c7c8e72-22ab-4b83-a8e2-6957aa52a8a2", "spec_version": "2.0", "objects": [ { @@ -30,7 +30,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b.json b/ics-attack/attack-pattern/attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b.json index 7393193e59..1e8345b6bc 100644 --- a/ics-attack/attack-pattern/attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b.json +++ b/ics-attack/attack-pattern/attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--69924db1-013b-4768-93de-2f112bbfa657", + "id": "bundle--714783b7-56ba-4f41-8ac1-60fb9dab09d8", "spec_version": "2.0", "objects": [ { @@ -38,8 +38,7 @@ "None" ], "x_mitre_version": "1.0", - "revoked": false, - "x_mitre_detection": "" + "revoked": false } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958.json b/ics-attack/attack-pattern/attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958.json index 347179a1b0..b784fa20f0 100644 --- a/ics-attack/attack-pattern/attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958.json +++ b/ics-attack/attack-pattern/attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fa6a6821-d172-4240-af82-652613ee9d2e", + "id": "bundle--33d9b414-af0b-4dc0-b9dd-6a8c9beb3e4f", "spec_version": "2.0", "objects": [ { @@ -30,7 +30,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9.json b/ics-attack/attack-pattern/attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9.json index 3229debeee..30954a7be8 100644 --- a/ics-attack/attack-pattern/attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9.json +++ b/ics-attack/attack-pattern/attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--70611865-6dd5-453d-96be-9e9f6bb43c10", + "id": "bundle--598eb5ab-3867-4f3f-ab33-11dc1d602c3d", "spec_version": "2.0", "objects": [ { @@ -30,7 +30,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3.json b/ics-attack/attack-pattern/attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3.json index a6a6f91f7e..01cad43701 100644 --- a/ics-attack/attack-pattern/attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3.json +++ b/ics-attack/attack-pattern/attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--febc1ad3-4c3f-4a9e-9087-ce284bc68fd0", + "id": "bundle--c3270e3e-ef4b-4ee9-b826-70128660fee8", "spec_version": "2.0", "objects": [ { @@ -38,8 +38,7 @@ "None" ], "x_mitre_version": "1.0", - "revoked": false, - "x_mitre_detection": "" + "revoked": false } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00.json b/ics-attack/attack-pattern/attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00.json index 350deae1fd..3313164055 100644 --- a/ics-attack/attack-pattern/attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00.json +++ b/ics-attack/attack-pattern/attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--db3b07ef-145d-418e-8491-2b6a8e8706fb", + "id": "bundle--d66c4692-4856-4adb-9bd9-4062bd99c25c", "spec_version": "2.0", "objects": [ { @@ -30,7 +30,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--338f4364-2269-4f70-9079-b20384b16628.json b/ics-attack/attack-pattern/attack-pattern--338f4364-2269-4f70-9079-b20384b16628.json new file mode 100644 index 0000000000..24b86b883c --- /dev/null +++ b/ics-attack/attack-pattern/attack-pattern--338f4364-2269-4f70-9079-b20384b16628.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--70b6a9d3-e4e4-42b6-b5b7-7077463b7d12", + "spec_version": "2.0", + "objects": [ + { + "type": "attack-pattern", + "id": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "created": "2026-04-20T20:50:34.107Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1691", + "external_id": "T1691" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + }, + { + "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", + "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T18:49:15.673Z", + "name": "Block Operational Technology Message", + "description": "Adversaries may block messages between systems and devices in an OT/ICS environment to disrupt processes. Messages typically fall into two categories: (1) reporting messages that contain telemetry data about the current state of systems, devices, and processes and (2) command messages that contain instructions to control systems, devices, and processes. Both types of messages are critical for the proper functioning of industrial control processes and failure of the messages to reach their intended destinations could inhibit response functions or create an unsafe condition that could have physical impacts.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)(Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)\n\nAdversaries may block communications by either making modifications to software ([System Firmware](https://attack.mitre.org/techniques/T0857), [Module Firmware](https://attack.mitre.org/techniques/T0839), [Hooking](https://attack.mitre.org/techniques/T0874), and [Rootkit](https://attack.mitre.org/techniques/T0851)) and services ([Service Stop](https://attack.mitre.org/techniques/T0881), [Denial of Service](https://attack.mitre.org/techniques/T0814)) on systems and devices or by positioning themselves between systems and devices and intercepting and blocking the communications such as the case with an [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) attack.\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f.json b/ics-attack/attack-pattern/attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f.json index 9a4e2fbd12..5168fa0bc2 100644 --- a/ics-attack/attack-pattern/attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f.json +++ b/ics-attack/attack-pattern/attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c62976ab-05b7-405a-b1c7-98b5d306906c", + "id": "bundle--fd148596-c2e3-4d3f-a25f-748d492deb90", "spec_version": "2.0", "objects": [ { @@ -40,7 +40,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9.json b/ics-attack/attack-pattern/attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9.json index 7a527d57d0..f3ea41035e 100644 --- a/ics-attack/attack-pattern/attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9.json +++ b/ics-attack/attack-pattern/attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c27630a0-3951-4966-b06b-5ececdec77bf", + "id": "bundle--4db59792-d1bd-41e5-85b4-05b39f0e30c1", "spec_version": "2.0", "objects": [ { @@ -35,7 +35,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--354ca909-b54d-4c41-b597-9c296b344a43.json b/ics-attack/attack-pattern/attack-pattern--354ca909-b54d-4c41-b597-9c296b344a43.json new file mode 100644 index 0000000000..b992166650 --- /dev/null +++ b/ics-attack/attack-pattern/attack-pattern--354ca909-b54d-4c41-b597-9c296b344a43.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--441858cb-28e7-4a75-b2eb-f862127c0dee", + "spec_version": "2.0", + "objects": [ + { + "type": "attack-pattern", + "id": "attack-pattern--354ca909-b54d-4c41-b597-9c296b344a43", + "created": "2026-04-20T20:54:20.103Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0873/001", + "external_id": "T0873.001" + }, + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", + "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:37:43.545Z", + "name": "Siemens Project File Format", + "description": "Adversaries may infect Siemens PLC project files (i.e., Step 7, WinCC, etc.) to achieve [Execution](https://attack.mitre.org/tactics/TA0104), [Persistence](https://attack.mitre.org/tactics/TA0110), and [Lateral Movement](https://attack.mitre.org/tactics/TA0109) objectives. Adversaries may modify an existing project file or bring their own project files into the environment.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)\n\nThe ability for an adversary to deploy an infected project file relies on access to a workstation with Siemens PLC programming software installed on it from which a program download can be performed.\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004.json b/ics-attack/attack-pattern/attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004.json index d4466a9275..7363d4d2bf 100644 --- a/ics-attack/attack-pattern/attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004.json +++ b/ics-attack/attack-pattern/attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1e5a73eb-a6d0-44d1-a958-5c1b1f93844f", + "id": "bundle--b80d424e-1fc6-46fa-9202-699dd03c2693", "spec_version": "2.0", "objects": [ { @@ -40,7 +40,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c.json b/ics-attack/attack-pattern/attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c.json index ef9209afa2..ba805a6fee 100644 --- a/ics-attack/attack-pattern/attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c.json +++ b/ics-attack/attack-pattern/attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7bd2df7e-1010-430d-a5ba-8662043f507c", + "id": "bundle--834fe68a-9efa-4f93-9ffa-18a8ca9f30bc", "spec_version": "2.0", "objects": [ { @@ -35,7 +35,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9.json b/ics-attack/attack-pattern/attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9.json index 346484eea2..192beb13bf 100644 --- a/ics-attack/attack-pattern/attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9.json +++ b/ics-attack/attack-pattern/attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e68a80c9-2dd6-430f-aa08-91d8704a5a20", + "id": "bundle--d74c07d6-bd76-4adf-892c-830e0c1364da", "spec_version": "2.0", "objects": [ { @@ -39,7 +39,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--3de230d4-3e42-4041-b089-17e1128feded.json b/ics-attack/attack-pattern/attack-pattern--3de230d4-3e42-4041-b089-17e1128feded.json index 0536701b0c..4797ad8fe8 100644 --- a/ics-attack/attack-pattern/attack-pattern--3de230d4-3e42-4041-b089-17e1128feded.json +++ b/ics-attack/attack-pattern/attack-pattern--3de230d4-3e42-4041-b089-17e1128feded.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dc28f3d6-6282-4760-8c88-c64f6bdc778c", + "id": "bundle--c93dabc5-6067-4048-bcfd-7bf2f6caa4e7", "spec_version": "2.0", "objects": [ { @@ -30,7 +30,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c.json b/ics-attack/attack-pattern/attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c.json new file mode 100644 index 0000000000..8b8a212dd7 --- /dev/null +++ b/ics-attack/attack-pattern/attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c.json @@ -0,0 +1,60 @@ +{ + "type": "bundle", + "id": "bundle--ee85cb25-1aee-42b2-8301-37db0d2efcca", + "spec_version": "2.0", + "objects": [ + { + "type": "attack-pattern", + "id": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "created": "2026-04-20T20:50:35.222Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1694", + "external_id": "T1694" + }, + { + "source_name": "ICS-ALERT-13-164-01", + "description": "Cybersecurity and Infrastructure Security Agency (CISA). (2013, October 29). Medical Devices Hard-Coded Passwords. Retrieved April 23, 2026.", + "url": "https://www.cisa.gov/news-events/ics-alerts/ics-alert-13-164-01" + }, + { + "source_name": "OT IceFall", + "description": "Forescout Vedere Labs. (2022, June). OT: IceFall Report. Retrieved April 23, 2026.", + "url": "https://www.forescout.com/resources/ot-icefall-report/" + }, + { + "source_name": "NIST SP 800-82r3", + "description": "Keith Stouffer. (2023, September). Guide to Operational Technology (OT) Security. Retrieved April 22, 2026.", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:29:41.601Z", + "name": "Insecure Credentials", + "description": "Adversaries may target insecure credentials as a means to persist on a system or device or move laterally from one system or device to another. Insecure credentials may appear as default credentials which are pre-configured credentials on a system, device, or software that are well-known in documentation or hard-coded credentials which are built into the system, device, or software that cannot be changed or not easily changed because of the impact on control processes.(Citation: NIST SP 800-82r3)(Citation: ICS-ALERT-13-164-01)(Citation: OT IceFall)\n Adversaries often times use insecure credentials to evade detection as they are typically forgotten about by system and device owners.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b.json b/ics-attack/attack-pattern/attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b.json index fdfceb444a..7e8fbce03c 100644 --- a/ics-attack/attack-pattern/attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b.json +++ b/ics-attack/attack-pattern/attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--330d4b77-e0dd-4fa8-8b57-f6818f2e8b6d", + "id": "bundle--1767dd12-2335-4865-9b1c-f9bed5970270", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,7 @@ "id": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, + "revoked": true, "external_references": [ { "source_name": "mitre-attack", @@ -29,7 +29,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:13.771Z", + "modified": "2026-04-20T20:58:39.117Z", "name": "Block Reporting Message", "description": "Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.\n\nBlocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", "kill_chain_phases": [ @@ -40,7 +40,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--40b300ba-f553-48bf-862e-9471b220d455.json b/ics-attack/attack-pattern/attack-pattern--40b300ba-f553-48bf-862e-9471b220d455.json index 57a6c5c16b..30ef272a9b 100644 --- a/ics-attack/attack-pattern/attack-pattern--40b300ba-f553-48bf-862e-9471b220d455.json +++ b/ics-attack/attack-pattern/attack-pattern--40b300ba-f553-48bf-862e-9471b220d455.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cf3f15d0-ab9f-4211-ba99-9b5bd4459464", + "id": "bundle--2db993f5-8647-4185-b519-a9427ce44198", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,7 @@ "id": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, + "revoked": true, "external_references": [ { "source_name": "mitre-attack", @@ -34,7 +34,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:13.939Z", + "modified": "2026-04-20T20:58:41.104Z", "name": "Unauthorized Command Message", "description": "Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nIn the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster. (Citation: Zack Whittaker April 2017) (Citation: Benjamin Freed March 2019)", "kill_chain_phases": [ @@ -45,7 +45,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265.json b/ics-attack/attack-pattern/attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265.json new file mode 100644 index 0000000000..a8e8a6828a --- /dev/null +++ b/ics-attack/attack-pattern/attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265.json @@ -0,0 +1,60 @@ +{ + "type": "bundle", + "id": "bundle--47023bdb-fafe-4853-a942-77922bc6044c", + "spec_version": "2.0", + "objects": [ + { + "type": "attack-pattern", + "id": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", + "created": "2026-04-20T20:54:17.053Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1692/001", + "external_id": "T1692.001" + }, + { + "source_name": "Benjamin Freed March 2019", + "description": "Benjamin Freed 2019, March 13 Tornado sirens in Dallas suburbs deactivated after being hacked and set off Retrieved. 2020/11/06 ", + "url": "https://statescoop.com/tornado-sirens-in-dallas-suburbs-deactivated-after-being-hacked-and-set-off/" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + }, + { + "source_name": "Zack Whittaker April 2017", + "description": "Zack Whittaker 2017, April 12 Dallas' emergency sirens were hacked with a rogue radio signal Retrieved. 2020/11/06 ", + "url": "https://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T18:59:19.225Z", + "name": "Command Message", + "description": "Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105).(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nIn the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster.(Citation: Zack Whittaker April 2017)(Citation: Benjamin Freed March 2019)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "evasion" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675.json b/ics-attack/attack-pattern/attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675.json index 5d35c57b35..8f012082e2 100644 --- a/ics-attack/attack-pattern/attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675.json +++ b/ics-attack/attack-pattern/attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c82abc7c-6a29-4d08-bbfc-4a98d0b4474b", + "id": "bundle--e6f7c299-6fb2-47fe-b781-73037c978396", "spec_version": "2.0", "objects": [ { @@ -38,7 +38,6 @@ "Matan Dobrushin - Otorio" ], "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec.json b/ics-attack/attack-pattern/attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec.json index 052d23dd26..b17f0ce755 100644 --- a/ics-attack/attack-pattern/attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec.json +++ b/ics-attack/attack-pattern/attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3eaa75c9-7feb-421c-a64b-e708387e29cb", + "id": "bundle--cac96d5e-0458-4ecd-b28b-4bb49314bb92", "spec_version": "2.0", "objects": [ { @@ -45,7 +45,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064.json b/ics-attack/attack-pattern/attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064.json index e8fd9af14a..fb253cd4b9 100644 --- a/ics-attack/attack-pattern/attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064.json +++ b/ics-attack/attack-pattern/attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--65ed6754-8448-4256-927f-04c59fda1504", + "id": "bundle--a64ab4ef-5074-46a9-9b71-0d65515ebb03", "spec_version": "2.0", "objects": [ { @@ -37,7 +37,6 @@ "Joe Slowik - Dragos" ], "x_mitre_deprecated": true, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0.json b/ics-attack/attack-pattern/attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0.json new file mode 100644 index 0000000000..1dad76fc94 --- /dev/null +++ b/ics-attack/attack-pattern/attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--47ca67e0-c242-4840-a173-ea85f6e61942", + "spec_version": "2.0", + "objects": [ + { + "type": "attack-pattern", + "id": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", + "created": "2026-04-20T20:54:17.539Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1692/002", + "external_id": "T1692.002" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:01:42.644Z", + "name": "Reporting Message", + "description": "Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values.\n\nIf an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "evasion" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00.json b/ics-attack/attack-pattern/attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00.json index 19cfb3e0cd..bd71f050d6 100644 --- a/ics-attack/attack-pattern/attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00.json +++ b/ics-attack/attack-pattern/attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a0c04a36-060d-4737-a49a-e6de944ef14c", + "id": "bundle--4de04e1c-ba2d-48ac-a5fc-236e43ff5271", "spec_version": "2.0", "objects": [ { @@ -29,7 +29,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805.json b/ics-attack/attack-pattern/attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805.json index f5e4701e06..d32a16ad3f 100644 --- a/ics-attack/attack-pattern/attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805.json +++ b/ics-attack/attack-pattern/attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--abbe2adb-04d3-4d5b-b656-aca94d021363", + "id": "bundle--208fe93a-cfbd-452f-8b89-4bdd452d3b10", "spec_version": "2.0", "objects": [ { @@ -38,8 +38,7 @@ "None" ], "x_mitre_version": "1.0", - "revoked": false, - "x_mitre_detection": "" + "revoked": false } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204.json b/ics-attack/attack-pattern/attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204.json index 87bcd4ed4b..c97272d622 100644 --- a/ics-attack/attack-pattern/attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204.json +++ b/ics-attack/attack-pattern/attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ec07abd0-a6b3-411d-99b8-c22f445eacce", + "id": "bundle--9bd2839f-5974-4913-a1f0-ae44088acce9", "spec_version": "2.0", "objects": [ { @@ -40,7 +40,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5.json b/ics-attack/attack-pattern/attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5.json new file mode 100644 index 0000000000..92364c6f3d --- /dev/null +++ b/ics-attack/attack-pattern/attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--d279e9da-a2c7-4759-8812-7a99403174a1", + "spec_version": "2.0", + "objects": [ + { + "type": "attack-pattern", + "id": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", + "created": "2026-04-20T20:54:22.399Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1695/001", + "external_id": "T1695.001" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:59:10.079Z", + "name": "Serial COM", + "description": "Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages.\n\nA serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available -- 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at 10.0.0.1 via Telnet on serial port 1 with the following command: telnet 10.0.0.1 20001.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91.json b/ics-attack/attack-pattern/attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91.json new file mode 100644 index 0000000000..d6c17c8292 --- /dev/null +++ b/ics-attack/attack-pattern/attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--16d068bb-eed3-490d-9370-547dd254c675", + "spec_version": "2.0", + "objects": [ + { + "type": "attack-pattern", + "id": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "created": "2026-04-20T20:54:19.020Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1694/001", + "external_id": "T1694.001" + }, + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:30:36.158Z", + "name": "Default Credentials", + "description": "Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed.(Citation: Keith Stouffer May 2015)\n\nDefault credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac.json b/ics-attack/attack-pattern/attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac.json index 55b3c48397..539accc1f1 100644 --- a/ics-attack/attack-pattern/attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac.json +++ b/ics-attack/attack-pattern/attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0bcd5ff5-98f5-4521-8a5c-63f795d5a7a4", + "id": "bundle--249ae70f-8ccf-44bc-af69-a59815cd9845", "spec_version": "2.0", "objects": [ { @@ -45,7 +45,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135.json b/ics-attack/attack-pattern/attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135.json new file mode 100644 index 0000000000..86da0b65a4 --- /dev/null +++ b/ics-attack/attack-pattern/attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--7fb56028-5e94-4881-835e-8128cfd9c4b1", + "spec_version": "2.0", + "objects": [ + { + "type": "attack-pattern", + "id": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "created": "2026-04-20T20:54:25.997Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0843/003", + "external_id": "T0843.003" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:18:49.737Z", + "name": "Program Append", + "description": "Adversaries may execute a program append to a PLC to update parts of an existing program. It may or may not require stopping the PLC which may allow it to continue running during transfer and reconfiguration without interruption to process control. Adversaries may leverage this approach to minimize downtime and evade detection. \n\nThe ability to perform a program append to the PLC typically relies on access to a workstation with the vendor-specific PLC programming software installed.\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4.json b/ics-attack/attack-pattern/attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4.json index 04ba369fd7..e9bd220979 100644 --- a/ics-attack/attack-pattern/attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4.json +++ b/ics-attack/attack-pattern/attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9b6ff557-b990-4c5a-9070-7455ad62dbd7", + "id": "bundle--f3e32bae-af54-4b57-940e-008c778978a0", "spec_version": "2.0", "objects": [ { @@ -30,7 +30,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a.json b/ics-attack/attack-pattern/attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a.json new file mode 100644 index 0000000000..349ac681cc --- /dev/null +++ b/ics-attack/attack-pattern/attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--6c66f19b-3e5d-4e66-98e0-6837f8837986", + "spec_version": "2.0", + "objects": [ + { + "type": "attack-pattern", + "id": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "created": "2026-04-20T20:54:20.714Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0846/001", + "external_id": "T0846.001" + }, + { + "source_name": "NIST SP 800-82r3", + "description": "Keith Stouffer. (2023, September). Guide to Operational Technology (OT) Security. Retrieved April 22, 2026.", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:41:07.822Z", + "name": "Port Scan", + "description": "Adversaries may perform a port scan on a system, device, or network to identify live hosts, enumerate open ports and running services, identify operating systems, and map out the network.(Citation: NIST SP 800-82r3) The results of a port scan may inform adversary [Discovery](https://attack.mitre.org/tactics/TA0102), [Lateral Movement](https://attack.mitre.org/tactics/TA0109), and vulnerability exploitation decisions ([Exploitation for Evasion](https://attack.mitre.org/techniques/T0820), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T0890), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T0866)). \n\nSome common tools for executing a port scan include `nmap`, `netcat`, and the Advanced Port Scanner.\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3.json b/ics-attack/attack-pattern/attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3.json index f655d2659e..da2977e309 100644 --- a/ics-attack/attack-pattern/attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3.json +++ b/ics-attack/attack-pattern/attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--50d28dbe-6280-42e1-9c34-c3c9ad8a04eb", + "id": "bundle--143d540e-6378-4eae-85ff-188c15341c31", "spec_version": "2.0", "objects": [ { @@ -40,7 +40,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55.json b/ics-attack/attack-pattern/attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55.json index 338d88611e..ade53866ab 100644 --- a/ics-attack/attack-pattern/attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55.json +++ b/ics-attack/attack-pattern/attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--297aa1f1-4793-439f-9c4e-daf8df6c3704", + "id": "bundle--4f200f39-6c87-44f8-96c1-393200355611", "spec_version": "2.0", "objects": [ { @@ -29,7 +29,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2.json b/ics-attack/attack-pattern/attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2.json index f14b7cfd46..1ad50d688d 100644 --- a/ics-attack/attack-pattern/attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2.json +++ b/ics-attack/attack-pattern/attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3ae2f509-ee82-4b2d-b085-c1d8cd3c5e13", + "id": "bundle--67d80985-10a5-46f8-b1de-c3fb821752da", "spec_version": "2.0", "objects": [ { @@ -30,7 +30,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855.json b/ics-attack/attack-pattern/attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855.json new file mode 100644 index 0000000000..0989fd6ebf --- /dev/null +++ b/ics-attack/attack-pattern/attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--c92be924-948e-46e4-8250-78bc668c377b", + "spec_version": "2.0", + "objects": [ + { + "type": "attack-pattern", + "id": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "created": "2026-04-20T20:54:22.891Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1695/002", + "external_id": "T1695.002" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:57:13.444Z", + "name": "Ethernet", + "description": "Adversaries may block access to Ethernet communications to prevent instructions or configurations messages from reaching target systems and devices. Ethernet connections allow for communications between IT and OT systems and devices. Blocking Ethernet communications may also block command and reporting messages.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nAn adversary may block Ethernet communications by disabling network interfaces, [Service Stop](https://attack.mitre.org/techniques/T0881), or conducting an [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) attack and dropping the network traffic.\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee.json b/ics-attack/attack-pattern/attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee.json index ee6036b597..349be2e3e7 100644 --- a/ics-attack/attack-pattern/attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee.json +++ b/ics-attack/attack-pattern/attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9fb8957d-65e3-4322-84fd-a24d2158ab09", + "id": "bundle--c3d050da-6f25-48f7-857a-774c6d606ea7", "spec_version": "2.0", "objects": [ { @@ -45,7 +45,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426.json b/ics-attack/attack-pattern/attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426.json index 18d0648e8e..519bf72e99 100644 --- a/ics-attack/attack-pattern/attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426.json +++ b/ics-attack/attack-pattern/attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e035272a-c229-49da-94f7-d09da79bfa38", + "id": "bundle--89dd5eab-e806-41c1-ac07-481716e1017c", "spec_version": "2.0", "objects": [ { @@ -40,7 +40,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91.json b/ics-attack/attack-pattern/attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91.json new file mode 100644 index 0000000000..4544838e42 --- /dev/null +++ b/ics-attack/attack-pattern/attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--681ae092-7bfa-43f8-8fd4-778fef201378", + "spec_version": "2.0", + "objects": [ + { + "type": "attack-pattern", + "id": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "created": "2026-04-20T20:54:21.726Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0846/003", + "external_id": "T0846.003" + }, + { + "source_name": "Cisco Active Discovery", + "description": "Cisco Systems, Inc.. (2024, March 5). Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0. Retrieved April 23, 2026.", + "url": "https://www.cisco.com/c/en/us/td/docs/security/cyber_vision/publications/Active-Discovery/Release-4-3-0/b_Cisco_Cyber_Vision_Active_Discovery_Configuration_Guide.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:45:38.166Z", + "name": "Multicast Discovery", + "description": "Adversaries may perform multicast discovery requests which is when one system or device sends messages to all systems and devices in a pre-defined group on a network (or subnet) and then waits for a response. If a response is received that means the system or device that responded is live and can communicate over that protocol. Multicast discovery tends to be stealthier than broadcast discovery because every system or device on the network (or subnet) is not being messaged. \n\nOne common OT protocol that has a multicast discovery mechanism is the Process Field Network (PROFINET) Discovery and Configuration Protocol (DCP) with its Identify All requests.(Citation: Cisco Active Discovery)\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--68a9324d-a524-4766-a899-a026f68a33df.json b/ics-attack/attack-pattern/attack-pattern--68a9324d-a524-4766-a899-a026f68a33df.json new file mode 100644 index 0000000000..f5a125d8a6 --- /dev/null +++ b/ics-attack/attack-pattern/attack-pattern--68a9324d-a524-4766-a899-a026f68a33df.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--43981976-b03b-4309-b095-8a53c8911cc7", + "spec_version": "2.0", + "objects": [ + { + "type": "attack-pattern", + "id": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "created": "2026-04-20T20:54:18.031Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1693/001", + "external_id": "T1693.001" + }, + { + "source_name": "Basnight, Zachry, et al.", + "description": "Basnight, Zachry, et al. 2013 Retrieved. 2017/10/17 ", + "url": "http://www.sciencedirect.com/science/article/pii/S1874548213000231" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:10:31.871Z", + "name": "System Firmware", + "description": "System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network.\n\nAn adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers.(Citation: Basnight, Zachry, et al.)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--6b335943-c3af-430e-a135-ab09623bdc20.json b/ics-attack/attack-pattern/attack-pattern--6b335943-c3af-430e-a135-ab09623bdc20.json new file mode 100644 index 0000000000..9e228ea04c --- /dev/null +++ b/ics-attack/attack-pattern/attack-pattern--6b335943-c3af-430e-a135-ab09623bdc20.json @@ -0,0 +1,55 @@ +{ + "type": "bundle", + "id": "bundle--a3f35792-5ac9-41a4-afcb-2e2734a8c24a", + "spec_version": "2.0", + "objects": [ + { + "type": "attack-pattern", + "id": "attack-pattern--6b335943-c3af-430e-a135-ab09623bdc20", + "created": "2026-04-20T20:54:19.528Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1694/002", + "external_id": "T1694.002" + }, + { + "source_name": "ICS-ALERT-13-164-01", + "description": "Cybersecurity and Infrastructure Security Agency (CISA). (2013, October 29). Medical Devices Hard-Coded Passwords. Retrieved April 23, 2026.", + "url": "https://www.cisa.gov/news-events/ics-alerts/ics-alert-13-164-01" + }, + { + "source_name": "OT IceFall", + "description": "Forescout Vedere Labs. (2022, June). OT: IceFall Report. Retrieved April 23, 2026.", + "url": "https://www.forescout.com/resources/ot-icefall-report/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:32:38.851Z", + "name": "Hardcoded Credentials", + "description": "Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset. Examples credentials that may be hardcoded in an asset include:\n\n* Username/Passwords\n* Cryptographic keys/Certificates\n* API tokens\n\nUnlike [Default Credentials](https://attack.mitre.org/techniques/T0812), these credentials are built into the system in a way that they either cannot be changed by the asset owner, or may be infeasible to change because of the impact it would cause to the control system operation. These credentials may be reused across whole product lines or device models and are often not published or known to the owner and operators of the asset.(Citation: ICS-ALERT-13-164-01)(Citation: OT IceFall)\n\nAdversaries may utilize these hardcoded credentials to move throughout the control system environment or provide reliable access for their tools to interact with industrial assets.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa.json b/ics-attack/attack-pattern/attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa.json new file mode 100644 index 0000000000..edde91a9a1 --- /dev/null +++ b/ics-attack/attack-pattern/attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--c2b6b159-a963-467b-93de-f44d6c8258ea", + "spec_version": "2.0", + "objects": [ + { + "type": "attack-pattern", + "id": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "created": "2026-04-20T20:54:23.383Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1695/003", + "external_id": "T1695.003" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:59:42.404Z", + "name": "Wi-Fi", + "description": "Adversaries may block access to Wi-Fi communications to prevent messages from reaching target systems and devices. Wi-Fi connections allow for communications between IT and OT systems and devices. Blocking Wi-Fi communications may also block command and reporting messages.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nAn adversary may block Wi-Fi communications by disabling network interfaces, [Service Stop](https://attack.mitre.org/techniques/T0881), conducting an [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) attack and dropping the network traffic, or by jamming the Wi-Fi signal.\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a.json b/ics-attack/attack-pattern/attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a.json index d22fbb4c0b..41b8af895d 100644 --- a/ics-attack/attack-pattern/attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a.json +++ b/ics-attack/attack-pattern/attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dda22b2e-b820-4269-8315-a60f91f8d53e", + "id": "bundle--32cbfeef-b59f-4e70-b8ae-0a29df205297", "spec_version": "2.0", "objects": [ { @@ -34,7 +34,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39.json b/ics-attack/attack-pattern/attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39.json new file mode 100644 index 0000000000..9e84a89124 --- /dev/null +++ b/ics-attack/attack-pattern/attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--4458c619-373a-40a3-b188-d6007c9ad55e", + "spec_version": "2.0", + "objects": [ + { + "type": "attack-pattern", + "id": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", + "created": "2026-04-20T20:54:18.535Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1693/002", + "external_id": "T1693.002" + }, + { + "source_name": "Daniel Peck, Dale Peterson January 2009", + "description": "Daniel Peck, Dale Peterson 2009, January 28 Leveraging Ethernet Card Vulnerabilities in Field Devices Retrieved. 2017/12/19 ", + "url": "https://www.researchgate.net/publication/228849043_Leveraging_ethernet_card_vulnerabilities_in_field_devices" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:15:57.683Z", + "name": "Module Firmware", + "description": "Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment.\n\nThis technique is similar to System Firmware, but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices.(Citation: Daniel Peck, Dale Peterson January 2009)\n\nAn easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following:(Citation: Daniel Peck, Dale Peterson January 2009)\n\n* Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time.\n* Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return.\n* Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator.\n* A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise.\n* Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef.json b/ics-attack/attack-pattern/attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef.json new file mode 100644 index 0000000000..db74262535 --- /dev/null +++ b/ics-attack/attack-pattern/attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--e0518f7e-8f7f-4a15-b6d3-9637664dd0a5", + "spec_version": "2.0", + "objects": [ + { + "type": "attack-pattern", + "id": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "created": "2026-04-20T20:54:23.982Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0843/001", + "external_id": "T0843.001" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:01:28.898Z", + "name": "Download All", + "description": "Adversaries may execute a full program download to a PLC to overwrite the entire PLC program and configuration to deploy a new project or make major changes. This typically requires stopping the PLC and adversely impacting control processes.\n\nThe ability to perform a full program download to the PLC typically relies on access to a workstation with the vendor-specific PLC programming software installed.\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d.json b/ics-attack/attack-pattern/attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d.json index 08c56579ee..a2fc3428b3 100644 --- a/ics-attack/attack-pattern/attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d.json +++ b/ics-attack/attack-pattern/attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--28dcf06f-fab4-4532-a6c2-d9487dfea006", + "id": "bundle--8d059ac8-57f6-4b6f-8f3d-dcc6d3ac4e43", "spec_version": "2.0", "objects": [ { @@ -30,7 +30,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a.json b/ics-attack/attack-pattern/attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a.json index d2514375e9..b889007efc 100644 --- a/ics-attack/attack-pattern/attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a.json +++ b/ics-attack/attack-pattern/attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e72f73ff-1c62-4867-971d-1f677e9e7c9e", + "id": "bundle--1254b065-d409-4215-b398-8f100e54394d", "spec_version": "2.0", "objects": [ { @@ -35,7 +35,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2.json b/ics-attack/attack-pattern/attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2.json new file mode 100644 index 0000000000..88bd7be540 --- /dev/null +++ b/ics-attack/attack-pattern/attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--01fedaa5-4dda-4e59-9661-106e9248b227", + "spec_version": "2.0", + "objects": [ + { + "type": "attack-pattern", + "id": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", + "created": "2026-04-20T20:54:16.584Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1691/002", + "external_id": "T1691.002" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + }, + { + "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", + "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T18:52:34.062Z", + "name": "Reporting Message", + "description": "Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.\n\nBlocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)(Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20.json b/ics-attack/attack-pattern/attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20.json new file mode 100644 index 0000000000..8000d31941 --- /dev/null +++ b/ics-attack/attack-pattern/attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--a13962b8-0ce0-493f-be5c-e5460b1a4c08", + "spec_version": "2.0", + "objects": [ + { + "type": "attack-pattern", + "id": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "created": "2026-04-20T20:50:34.850Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1693", + "external_id": "T1693" + }, + { + "source_name": "Basnight, Zachry, et al.", + "description": "Basnight, Zachry, et al. 2013 Retrieved. 2017/10/17 ", + "url": "http://www.sciencedirect.com/science/article/pii/S1874548213000231" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:06:21.253Z", + "name": "Modify Firmware", + "description": "Firmware is low-level software embedded in hardware that enables systems and devices to function properly and is commonly found in ICS environments. Adversaries may modify firmware on a system or device by installing malicious or vulnerable versions that enable them to achieve objectives such as [Persistence](https://attack.mitre.org/tactics/TA0110), [Impair Process Control](https://attack.mitre.org/tactics/TA0106), and [Inhibit Response Function](https://attack.mitre.org/tactics/TA0107). \n\nAdversaries may modify system and device firmware by using the built-in firmware update functionality which may support local or remote installation. The malicious or vulnerable firmware may be delivered via [Replication Through Removable Media](https://attack.mitre.org/techniques/T0847), [Supply Chain Compromise](https://attack.mitre.org/techniques/T0862), or [Remote Services](https://attack.mitre.org/techniques/T0886). Once installed, the malicious or vulnerable firmware could be used to provide [Rootkit](https://attack.mitre.org/techniques/T0851) and [Hooking](https://attack.mitre.org/techniques/T0874) functionality, [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T0890), or [Denial of Service](https://attack.mitre.org/techniques/T0814).(Citation: Basnight, Zachry, et al.)\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916.json b/ics-attack/attack-pattern/attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916.json index c7c749fa50..b8f48cba5b 100644 --- a/ics-attack/attack-pattern/attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916.json +++ b/ics-attack/attack-pattern/attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--70c39f4c-ce77-4969-a37a-f1bd0f4f2b1d", + "id": "bundle--712f3e2d-a550-4ebc-8cd5-514b91bcac16", "spec_version": "2.0", "objects": [ { @@ -50,7 +50,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4.json b/ics-attack/attack-pattern/attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4.json index 6c256c6342..d907bd7c8f 100644 --- a/ics-attack/attack-pattern/attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4.json +++ b/ics-attack/attack-pattern/attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--62d079d1-d907-47e2-ae72-72bc493c45eb", + "id": "bundle--54ab144a-a6a3-4515-b8a4-24a0c8fd0958", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,7 @@ "id": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, + "revoked": true, "external_references": [ { "source_name": "mitre-attack", @@ -24,7 +24,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:15.909Z", + "modified": "2026-04-20T20:58:43.011Z", "name": "Spoof Reporting Message", "description": "Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values. \n\nIf an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) ", "kill_chain_phases": [ @@ -39,7 +39,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee.json b/ics-attack/attack-pattern/attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee.json index efa01be33b..46024097a8 100644 --- a/ics-attack/attack-pattern/attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee.json +++ b/ics-attack/attack-pattern/attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4e247916-4c7a-47f9-a078-c933e63a1a4b", + "id": "bundle--6fd2b4b0-bdcf-4c0b-9926-43ebe0cd610e", "spec_version": "2.0", "objects": [ { @@ -44,7 +44,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349.json b/ics-attack/attack-pattern/attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349.json index f52c95ad14..781b9e8527 100644 --- a/ics-attack/attack-pattern/attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349.json +++ b/ics-attack/attack-pattern/attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d161ae4c-3b2a-4844-8dd8-2920f7e72a1c", + "id": "bundle--83403d79-8636-49d4-804f-95c5e985f1bb", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,7 @@ "id": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, + "revoked": true, "external_references": [ { "source_name": "mitre-attack", @@ -24,7 +24,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:16.206Z", + "modified": "2026-04-20T20:58:48.356Z", "name": "Default Credentials", "description": "Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. (Citation: Keith Stouffer May 2015)\n\nDefault credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.", "kill_chain_phases": [ @@ -35,7 +35,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c.json b/ics-attack/attack-pattern/attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c.json index 583fdedb68..6dd74a487a 100644 --- a/ics-attack/attack-pattern/attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c.json +++ b/ics-attack/attack-pattern/attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--18e639e2-20c0-4fd2-b20c-4bd47304d927", + "id": "bundle--f15379a2-50ab-45a6-899e-e0f986460123", "spec_version": "2.0", "objects": [ { @@ -40,7 +40,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4.json b/ics-attack/attack-pattern/attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4.json index 8691b9732c..30ceff454d 100644 --- a/ics-attack/attack-pattern/attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4.json +++ b/ics-attack/attack-pattern/attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4d3f05be-a222-42f9-b7c7-0de6ae133c9a", + "id": "bundle--8b941290-9863-44c1-9e12-a9181f6ff1f1", "spec_version": "2.0", "objects": [ { @@ -30,7 +30,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541.json b/ics-attack/attack-pattern/attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541.json index 83fd299537..8c6b14d5c4 100644 --- a/ics-attack/attack-pattern/attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541.json +++ b/ics-attack/attack-pattern/attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ed4db855-fe90-4a83-af52-7a2b4c30bc2e", + "id": "bundle--04f13b2b-02b6-43da-a87e-346ee1d89873", "spec_version": "2.0", "objects": [ { @@ -29,7 +29,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b.json b/ics-attack/attack-pattern/attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b.json index 8d35028257..e0c4cb8a09 100644 --- a/ics-attack/attack-pattern/attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b.json +++ b/ics-attack/attack-pattern/attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6a7a9518-efcd-46e4-bf8e-aecefddae594", + "id": "bundle--02f22982-8c28-47c2-bff2-242313d9d727", "spec_version": "2.0", "objects": [ { @@ -43,7 +43,6 @@ "Conrad Layne - GE Digital" ], "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03.json b/ics-attack/attack-pattern/attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03.json index 4aa15862c2..32a9447627 100644 --- a/ics-attack/attack-pattern/attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03.json +++ b/ics-attack/attack-pattern/attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f3fb2ba6-70f7-445b-8a9d-544580de21ad", + "id": "bundle--7bab2ec8-14f1-4e82-8312-383ddc89208a", "spec_version": "2.0", "objects": [ { @@ -30,7 +30,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb.json b/ics-attack/attack-pattern/attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb.json index ce20d1ada8..d93642cfe6 100644 --- a/ics-attack/attack-pattern/attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb.json +++ b/ics-attack/attack-pattern/attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--81156dad-7a4c-4cbb-af90-9d83c028ca57", + "id": "bundle--6088beec-503f-4ddb-b681-048d1ab3dba9", "spec_version": "2.0", "objects": [ { @@ -53,7 +53,6 @@ "Dragos Threat Intelligence" ], "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a.json b/ics-attack/attack-pattern/attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a.json index 905d06e28c..b6a22731c9 100644 --- a/ics-attack/attack-pattern/attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a.json +++ b/ics-attack/attack-pattern/attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--92830f4b-1936-45f4-aae3-4f43db2ae538", + "id": "bundle--a1d04228-fe01-49d5-9944-f616fe650aa0", "spec_version": "2.0", "objects": [ { @@ -33,7 +33,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae.json b/ics-attack/attack-pattern/attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae.json index 5da611e892..c6465f86d3 100644 --- a/ics-attack/attack-pattern/attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae.json +++ b/ics-attack/attack-pattern/attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1f2a2994-3c64-4959-81a2-bbf006f34189", + "id": "bundle--183cb50a-eebd-42be-b4a4-8c0fc1577d51", "spec_version": "2.0", "objects": [ { @@ -44,7 +44,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45.json b/ics-attack/attack-pattern/attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45.json index 9725ac9f80..7cd7ce2553 100644 --- a/ics-attack/attack-pattern/attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45.json +++ b/ics-attack/attack-pattern/attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b28fff3d-b7a3-4731-a6c7-b91be857d913", + "id": "bundle--5cd57575-4616-469e-b051-82818c91cb6f", "spec_version": "2.0", "objects": [ { @@ -29,7 +29,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7.json b/ics-attack/attack-pattern/attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7.json index eb6db2bc12..767b79c3eb 100644 --- a/ics-attack/attack-pattern/attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7.json +++ b/ics-attack/attack-pattern/attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--525aa6cc-94d1-4360-81ee-5ca0cf865e56", + "id": "bundle--ee61e090-d199-47ba-9ebf-d1738686a4da", "spec_version": "2.0", "objects": [ { @@ -48,7 +48,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf.json b/ics-attack/attack-pattern/attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf.json index 573c4be7a4..8db44a42a1 100644 --- a/ics-attack/attack-pattern/attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf.json +++ b/ics-attack/attack-pattern/attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bc8ef874-f9a8-4a66-aecc-eb6b9f66b904", + "id": "bundle--ff9a4641-b68a-459a-b12e-219b6fca1764", "spec_version": "2.0", "objects": [ { @@ -30,7 +30,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb.json b/ics-attack/attack-pattern/attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb.json index 1702889dfa..2ecac8fbb1 100644 --- a/ics-attack/attack-pattern/attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb.json +++ b/ics-attack/attack-pattern/attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--403f6934-2d0c-4dcc-a314-e0cc737193c4", + "id": "bundle--74d3ec7b-61b1-4c36-9a96-02246fb60519", "spec_version": "2.0", "objects": [ { @@ -40,7 +40,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--b52870cc-83f3-473c-b895-72d91751030b.json b/ics-attack/attack-pattern/attack-pattern--b52870cc-83f3-473c-b895-72d91751030b.json index 9cc92d4cad..8f92db8a92 100644 --- a/ics-attack/attack-pattern/attack-pattern--b52870cc-83f3-473c-b895-72d91751030b.json +++ b/ics-attack/attack-pattern/attack-pattern--b52870cc-83f3-473c-b895-72d91751030b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4d681ec1-2d34-433e-85d0-4025c30c8eb6", + "id": "bundle--e4f13e9a-9a7f-4704-82f9-dd39d25e1e52", "spec_version": "2.0", "objects": [ { @@ -35,7 +35,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95.json b/ics-attack/attack-pattern/attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95.json index bae4545977..c7c6f97a32 100644 --- a/ics-attack/attack-pattern/attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95.json +++ b/ics-attack/attack-pattern/attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8a6c7d39-d3c6-4a90-b7cf-984cb590f215", + "id": "bundle--4b7b77e8-f60f-4b1b-abb0-612834e7378b", "spec_version": "2.0", "objects": [ { @@ -50,7 +50,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54.json b/ics-attack/attack-pattern/attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54.json index 1548a8d4e6..b46186f30d 100644 --- a/ics-attack/attack-pattern/attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54.json +++ b/ics-attack/attack-pattern/attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f6babf4b-fd82-4f7a-8257-e690075ce5a8", + "id": "bundle--1d33b8f6-7062-4a1f-9c7c-920e1b088cf9", "spec_version": "2.0", "objects": [ { @@ -14,15 +14,15 @@ "url": "https://attack.mitre.org/techniques/T0882", "external_id": "T0882" }, - { - "source_name": "Mark Thompson March 2016", - "description": "Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 ", - "url": "https://time.com/4270728/iran-cyber-attack-dam-fbi/" - }, { "source_name": "Danny Yadron December 2015", "description": "Danny Yadron 2015, December 20 Iranian Hackers Infiltrated New York Dam in 2013 Retrieved. 2019/11/07 ", "url": "https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559" + }, + { + "source_name": "Mark Thompson March 2016", + "description": "Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 ", + "url": "https://time.com/4270728/iran-cyber-attack-dam-fbi/" } ], "object_marking_refs": [ @@ -39,7 +39,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -48,7 +47,8 @@ "x_mitre_platforms": [ "None" ], - "x_mitre_version": "1.0" + "x_mitre_version": "1.0", + "revoked": false } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d.json b/ics-attack/attack-pattern/attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d.json index b68356d79d..ddee16548d 100644 --- a/ics-attack/attack-pattern/attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d.json +++ b/ics-attack/attack-pattern/attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ecf2b1ed-bc3a-4ae1-8562-b349b0215042", + "id": "bundle--05d454e7-61d7-4c5c-a2b2-9f9dc1c4b43a", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,7 @@ "id": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, + "revoked": true, "external_references": [ { "source_name": "mitre-attack", @@ -24,7 +24,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:17.862Z", + "modified": "2026-04-20T20:58:44.575Z", "name": "System Firmware", "description": "System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network. \n\nAn adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers. (Citation: Basnight, Zachry, et al.)", "kill_chain_phases": [ @@ -39,7 +39,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61.json b/ics-attack/attack-pattern/attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61.json index b8390e9283..30b0359d7d 100644 --- a/ics-attack/attack-pattern/attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61.json +++ b/ics-attack/attack-pattern/attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d0055f44-6363-4c48-ab53-28189c7f0bd1", + "id": "bundle--97bc61c4-54bf-4c75-95fd-a4690e5ca36c", "spec_version": "2.0", "objects": [ { @@ -30,7 +30,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068.json b/ics-attack/attack-pattern/attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068.json index dcd55d1c3d..f7c9fc004b 100644 --- a/ics-attack/attack-pattern/attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068.json +++ b/ics-attack/attack-pattern/attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--aeaac56f-b169-4c38-96cc-f2e25b4c1e3c", + "id": "bundle--ee33b0fa-67ba-4f92-925d-b3d7e2a3ad32", "spec_version": "2.0", "objects": [ { @@ -30,7 +30,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21.json b/ics-attack/attack-pattern/attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21.json index 2c45970d6e..920d5c3904 100644 --- a/ics-attack/attack-pattern/attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21.json +++ b/ics-attack/attack-pattern/attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3e477aaf-2764-4e5f-92ca-f3f655c157cd", + "id": "bundle--c83fbb57-2353-4af9-a649-9786ad5a778f", "spec_version": "2.0", "objects": [ { @@ -80,7 +80,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c.json b/ics-attack/attack-pattern/attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c.json new file mode 100644 index 0000000000..5cfed48ad9 --- /dev/null +++ b/ics-attack/attack-pattern/attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c.json @@ -0,0 +1,51 @@ +{ + "type": "bundle", + "id": "bundle--fca90697-58b8-4189-afce-57e54c0ca29f", + "spec_version": "2.0", + "objects": [ + { + "type": "attack-pattern", + "id": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "created": "2026-04-20T20:54:21.227Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0846/002", + "external_id": "T0846.002" + }, + { + "source_name": "Cisco Active Discovery", + "description": "Cisco Systems, Inc.. (2024, March 5). Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0. Retrieved April 23, 2026.", + "url": "https://www.cisco.com/c/en/us/td/docs/security/cyber_vision/publications/Active-Discovery/Release-4-3-0/b_Cisco_Cyber_Vision_Active_Discovery_Configuration_Guide.pdf" + }, + { + "source_name": "Broadcasting BACnet", + "description": "H. Michael Newman. (2010, November). Broadcasting BACnet\u00ae. Retrieved April 23, 2026.", + "url": "https://bacnet.org/wp-content/uploads/sites/4/2022/06/Newman_2010.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:43:10.464Z", + "name": "Broadcast Discovery", + "description": "Adversaries may perform broadcast discovery requests to enumerate systems and devices on a network. Broadcast discovery works by one system or device sending messages to all systems and devices on a network (or subnet) and then waiting for a response. If a response is received that means the system or device that responded is live and can communicate over that protocol. Adversaries may leverage different protocols supported on the network for sending broadcast messages. \n\nSome common OT protocols that have broadcast discovery mechanisms are Building Automation and Control Network (BACNet) Who-Is requests, Common Industrial Protocol (CIP) List Identity User Datagram Protocol (UDP) broadcast requests, and Siemens S7 broadcast identification requests.(Citation: Broadcasting BACnet)(Citation: Cisco Active Discovery)\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377.json b/ics-attack/attack-pattern/attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377.json index fc796df5e3..223f8acdb6 100644 --- a/ics-attack/attack-pattern/attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377.json +++ b/ics-attack/attack-pattern/attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5935c0ef-91fd-49e5-b93f-b8781197d288", + "id": "bundle--dc26490f-b6d5-4745-af32-7136fd5b10be", "spec_version": "2.0", "objects": [ { @@ -34,7 +34,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -43,7 +42,8 @@ "x_mitre_platforms": [ "None" ], - "x_mitre_version": "1.0" + "x_mitre_version": "1.0", + "revoked": false } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a.json b/ics-attack/attack-pattern/attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a.json index aed4a613c0..ad18764c60 100644 --- a/ics-attack/attack-pattern/attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a.json +++ b/ics-attack/attack-pattern/attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6ec2befa-1a18-48af-acdf-b10876c56a30", + "id": "bundle--a5a70199-acd3-42be-a320-4254bcb2637d", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,7 @@ "id": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", "created": "2022-09-29T13:35:38.589Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, + "revoked": true, "external_references": [ { "source_name": "mitre-attack", @@ -19,7 +19,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:18.583Z", + "modified": "2026-04-20T20:58:49.917Z", "name": "Hardcoded Credentials", "description": "Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset. Examples credentials that may be hardcoded in an asset include:\n\n* Username/Passwords\n* Cryptographic keys/Certificates\n* API tokens\n\nUnlike [Default Credentials](https://attack.mitre.org/techniques/T0812), these credentials are built into the system in a way that they either cannot be changed by the asset owner, or may be infeasible to change because of the impact it would cause to the control system operation. These credentials may be reused across whole product lines or device models and are often not published or known to the owner and operators of the asset. \n\nAdversaries may utilize these hardcoded credentials to move throughout the control system environment or provide reliable access for their tools to interact with industrial assets. \n", "kill_chain_phases": [ @@ -37,7 +37,6 @@ "Aagam Shah, @neutrinoguy, ABB" ], "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101.json b/ics-attack/attack-pattern/attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101.json index 7ac438e1fd..71d685227e 100644 --- a/ics-attack/attack-pattern/attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101.json +++ b/ics-attack/attack-pattern/attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a16909ae-d643-41a5-9831-c33c0070fecf", + "id": "bundle--29d69d37-0e45-46c4-8f7b-b2077cc3b09a", "spec_version": "2.0", "objects": [ { @@ -39,7 +39,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618.json b/ics-attack/attack-pattern/attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618.json index ed805f232c..a8edafc52f 100644 --- a/ics-attack/attack-pattern/attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618.json +++ b/ics-attack/attack-pattern/attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4707cdb8-4cf9-406b-b41b-383ff1bea475", + "id": "bundle--3c29d3b1-f2d2-41cd-a7e2-1b978132b7f3", "spec_version": "2.0", "objects": [ { @@ -35,7 +35,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061.json b/ics-attack/attack-pattern/attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061.json index 3eb564df42..4d4dae2878 100644 --- a/ics-attack/attack-pattern/attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061.json +++ b/ics-attack/attack-pattern/attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a03048d0-dd03-4153-9291-b3662df50cbc", + "id": "bundle--892125fa-fcb5-4de1-bf67-5c703adb3721", "spec_version": "2.0", "objects": [ { @@ -24,18 +24,17 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:18.958Z", + "modified": "2026-04-23T19:39:03.420Z", "name": "Remote System Discovery", - "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used. (Citation: Enterprise ATT&CK January 2018)", + "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used.(Citation: Enterprise ATT&CK January 2018)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "discovery" } ], - "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_attack_spec_version": "3.3.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73.json b/ics-attack/attack-pattern/attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73.json index 9b6832548f..e8c02f4e5b 100644 --- a/ics-attack/attack-pattern/attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73.json +++ b/ics-attack/attack-pattern/attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--73ead825-1127-485d-9b56-852023008a63", + "id": "bundle--bb016cfd-364b-4139-b6dc-9d40b6ebcb01", "spec_version": "2.0", "objects": [ { @@ -32,7 +32,6 @@ "Joe Slowik - Dragos" ], "x_mitre_deprecated": true, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4.json b/ics-attack/attack-pattern/attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4.json index 22e1960bad..e463118383 100644 --- a/ics-attack/attack-pattern/attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4.json +++ b/ics-attack/attack-pattern/attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--06e7d5cc-d7e9-4228-87b8-c7e19b45a603", + "id": "bundle--742f2e95-c4cd-4eba-8df1-5c9393ba9c61", "spec_version": "2.0", "objects": [ { @@ -35,7 +35,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c.json b/ics-attack/attack-pattern/attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c.json new file mode 100644 index 0000000000..4ca49340ea --- /dev/null +++ b/ics-attack/attack-pattern/attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--b25d1104-7aee-4772-bb32-a550a09574bb", + "spec_version": "2.0", + "objects": [ + { + "type": "attack-pattern", + "id": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "created": "2026-04-20T20:54:25.372Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0843/002", + "external_id": "T0843.002" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:40:18.368Z", + "name": "Online Edit", + "description": "Adversaries may execute an online edit of a PLC to update parts of an existing program. It does not require stopping the PLC which allows it to continue running during transfer and reconfiguration without interruption to process control. Adversaries may leverage this approach to minimize downtime and evade detection. \n\nThe ability to perform an online edit to the PLC typically relies on access to a workstation with the vendor-specific PLC programming software installed.\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387.json b/ics-attack/attack-pattern/attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387.json index 16ad0140a7..6478ecbca5 100644 --- a/ics-attack/attack-pattern/attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387.json +++ b/ics-attack/attack-pattern/attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b1e4a53f-f469-4fc5-a10e-e3b5fd5f181a", + "id": "bundle--612be1f4-a646-4481-95fb-8913cb567c92", "spec_version": "2.0", "objects": [ { @@ -38,8 +38,7 @@ "None" ], "x_mitre_version": "1.0", - "revoked": false, - "x_mitre_detection": "" + "revoked": false } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e.json b/ics-attack/attack-pattern/attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e.json index 23b3c9bc6b..2e233f8bd5 100644 --- a/ics-attack/attack-pattern/attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e.json +++ b/ics-attack/attack-pattern/attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--560ab0a6-1adf-484d-8b9e-fc4d31358d05", + "id": "bundle--da32a142-cdc5-4a2c-9a9f-94a9f64fcc25", "spec_version": "2.0", "objects": [ { @@ -43,7 +43,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3.json b/ics-attack/attack-pattern/attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3.json new file mode 100644 index 0000000000..eb5a5f71d5 --- /dev/null +++ b/ics-attack/attack-pattern/attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3.json @@ -0,0 +1,50 @@ +{ + "type": "bundle", + "id": "bundle--0969dad9-0841-4cce-8a5c-b8444a554000", + "spec_version": "2.0", + "objects": [ + { + "type": "attack-pattern", + "id": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "created": "2026-04-20T20:50:34.487Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1692", + "external_id": "T1692" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T18:54:29.294Z", + "name": "Unauthorized Message", + "description": "Adversaries may send unauthorized messages to ICS systems and devices to evade defenses or manipulate processes. Unauthorized messages can be categorized as either reporting messages that contain telemetry data about the current state of systems, devices, and processes or as command messages which instruct systems and devices on how to operate. By injecting unauthorized messages, adversaries can make it appear as if everything is working correctly when it isn\u2019t, trigger alarms to misdirect personnel or impact processes, and manipulate controls to disrupt processes.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nAdversaries may send unauthorized messages in an ICS environment using software found within the environment (living-off-the-land, vendor-specific interfaces, etc.), custom tooling leveraging OT protocols and libraries, or by positioning themselves between systems and devices and injecting messages into the communications such as the case with an [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) attack.\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "evasion" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf.json b/ics-attack/attack-pattern/attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf.json index acd89f8ee6..a7a37e5bb6 100644 --- a/ics-attack/attack-pattern/attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf.json +++ b/ics-attack/attack-pattern/attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--add80cd5-314b-4169-968e-ba094cdb0a33", + "id": "bundle--7dab1392-96a8-4dd4-b092-667a311ac01e", "spec_version": "2.0", "objects": [ { @@ -57,7 +57,6 @@ "Daisuke Suzuki" ], "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0.json b/ics-attack/attack-pattern/attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0.json index 9c2972ee2a..13d12317f5 100644 --- a/ics-attack/attack-pattern/attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0.json +++ b/ics-attack/attack-pattern/attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0020c476-02f1-4366-85e9-fcd7599108b9", + "id": "bundle--4f6e0c0f-36dc-400a-9c7c-82c4c869f93c", "spec_version": "2.0", "objects": [ { @@ -29,7 +29,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20.json b/ics-attack/attack-pattern/attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20.json index 66a3845c9b..3f8abecb3c 100644 --- a/ics-attack/attack-pattern/attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20.json +++ b/ics-attack/attack-pattern/attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b1bcf942-a420-4342-bfcb-c76601d03bbf", + "id": "bundle--a6a7de7a-a17d-49a4-99b6-a8c612b812fc", "spec_version": "2.0", "objects": [ { @@ -50,7 +50,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92.json b/ics-attack/attack-pattern/attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92.json index 68032a7508..3e325cf48f 100644 --- a/ics-attack/attack-pattern/attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92.json +++ b/ics-attack/attack-pattern/attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--165b9894-db27-4961-8fd5-0493b32ad959", + "id": "bundle--ca1e4067-28c2-40a3-b2ab-1ce2aa968234", "spec_version": "2.0", "objects": [ { @@ -35,7 +35,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07.json b/ics-attack/attack-pattern/attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07.json index b0153b4586..75c559a6be 100644 --- a/ics-attack/attack-pattern/attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07.json +++ b/ics-attack/attack-pattern/attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--64d9e1c3-100d-4a11-9a0d-77ffad9d1608", + "id": "bundle--9d8b3011-db65-4002-87b2-b7877d90d06d", "spec_version": "2.0", "objects": [ { @@ -33,7 +33,6 @@ "Matan Dobrushin - Otorio" ], "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722.json b/ics-attack/attack-pattern/attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722.json index f95648ba29..7843c8d959 100644 --- a/ics-attack/attack-pattern/attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722.json +++ b/ics-attack/attack-pattern/attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7c33b014-b51f-4e05-b8d3-8ad47208d4b7", + "id": "bundle--78a3ea49-6327-4676-88a8-e783a07f82b5", "spec_version": "2.0", "objects": [ { @@ -34,18 +34,17 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-15T19:59:17.481Z", + "modified": "2026-04-23T19:35:14.939Z", "name": "Project File Infection", - "description": "Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. (Citation: Beckhoff) Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further [Execution](https://attack.mitre.org/tactics/TA0104) and [Persistence](https://attack.mitre.org/tactics/TA0110) techniques. (Citation: PLCdev) \n\nAdversaries may export their own code into project files with conditions to execute at specific intervals. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing. (Citation: PLCdev)", + "description": "Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function.(Citation: Beckhoff) Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further [Execution](https://attack.mitre.org/tactics/TA0104) and [Persistence](https://attack.mitre.org/tactics/TA0110) techniques.(Citation: PLCdev) \n\nAdversaries may export their own code into project files with conditions to execute at specific intervals.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing.(Citation: PLCdev)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "persistence" } ], - "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_attack_spec_version": "3.3.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -54,7 +53,7 @@ "x_mitre_platforms": [ "None" ], - "x_mitre_version": "1.0" + "x_mitre_version": "1.1" } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e.json b/ics-attack/attack-pattern/attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e.json index 2b2b4c7aab..10aa124b96 100644 --- a/ics-attack/attack-pattern/attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e.json +++ b/ics-attack/attack-pattern/attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5a9dde1d-276e-42b6-b231-c7629e410afe", + "id": "bundle--7d4302b1-7d23-4bcb-ac0c-1386dcaeaa1a", "spec_version": "2.0", "objects": [ { @@ -40,7 +40,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d.json b/ics-attack/attack-pattern/attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d.json index 6888f0c845..fac6a5997e 100644 --- a/ics-attack/attack-pattern/attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d.json +++ b/ics-attack/attack-pattern/attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--57edacb6-7878-4769-b70d-d1f10c3d2b4f", + "id": "bundle--33b17bab-e5f4-4089-9f42-3578fe4578c0", "spec_version": "2.0", "objects": [ { @@ -35,7 +35,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707.json b/ics-attack/attack-pattern/attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707.json index 3d733bea3f..af30b0cbdd 100644 --- a/ics-attack/attack-pattern/attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707.json +++ b/ics-attack/attack-pattern/attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b28326b9-377f-4b66-90a4-3877ff35d4ae", + "id": "bundle--4136b8b4-cd33-4ab1-ba84-a328970a0bf1", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,7 @@ "id": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, + "revoked": true, "external_references": [ { "source_name": "mitre-attack", @@ -24,7 +24,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:20.310Z", + "modified": "2026-04-20T20:58:46.789Z", "name": "Module Firmware", "description": "Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment. \n\nThis technique is similar to [System Firmware](https://attack.mitre.org/techniques/T0857), but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices. (Citation: Daniel Peck, Dale Peterson January 2009) \n\nAn easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following: (Citation: Daniel Peck, Dale Peterson January 2009) \n\n* Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time. \n* Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return. \n* Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator. \n* A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise. \n* Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.", "kill_chain_phases": [ @@ -39,7 +39,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307.json b/ics-attack/attack-pattern/attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307.json index a81350292d..a8db8769b1 100644 --- a/ics-attack/attack-pattern/attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307.json +++ b/ics-attack/attack-pattern/attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a16c2b62-b014-4210-ba69-c25b18728d95", + "id": "bundle--203e6a5d-8cb1-48c3-abfe-0de8eace5471", "spec_version": "2.0", "objects": [ { @@ -50,7 +50,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5.json b/ics-attack/attack-pattern/attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5.json index 02edf14202..112a1d8e28 100644 --- a/ics-attack/attack-pattern/attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5.json +++ b/ics-attack/attack-pattern/attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8275be64-4269-4f27-997e-73f5de15ca5e", + "id": "bundle--36e5f52b-8b95-4e89-9ee8-5cf145011e28", "spec_version": "2.0", "objects": [ { @@ -30,7 +30,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f.json b/ics-attack/attack-pattern/attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f.json index 6546cb10c3..94f2867425 100644 --- a/ics-attack/attack-pattern/attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f.json +++ b/ics-attack/attack-pattern/attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1f1d5556-f58a-49f4-9b14-31b3e224d28c", + "id": "bundle--b0372bd4-3edf-440e-be20-aa8713f22cfb", "spec_version": "2.0", "objects": [ { @@ -38,7 +38,6 @@ "Felix Eberstaller" ], "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/attack-pattern/attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9.json b/ics-attack/attack-pattern/attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9.json new file mode 100644 index 0000000000..059c880050 --- /dev/null +++ b/ics-attack/attack-pattern/attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9.json @@ -0,0 +1,46 @@ +{ + "type": "bundle", + "id": "bundle--0adba48c-abef-4da6-9c69-3ee33ca44222", + "spec_version": "2.0", + "objects": [ + { + "type": "attack-pattern", + "id": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "created": "2026-04-20T20:50:35.776Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1695", + "external_id": "T1695" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:52:53.490Z", + "name": "Block Communications", + "description": "Operational technology communications occur over serial COM, Ethernet, Wi-Fi, cellular (4G/5G), and satellite mediums. Adversaries may block communications to prevent reporting messages and command messages from reaching their intended target devices disrupting processes, operations, and causing cyber-physical impacts.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) \n\nAdversaries may block communications by either making modifications to software ([System Firmware](https://attack.mitre.org/techniques/T0857), [Module Firmware](https://attack.mitre.org/techniques/T0839), [Hooking](https://attack.mitre.org/techniques/T0874), and [Rootkit](https://attack.mitre.org/techniques/T0851)) and services ([Service Stop](https://attack.mitre.org/techniques/T0881), [Denial of Service](https://attack.mitre.org/techniques/T0814)) on systems and devices or by positioning themselves between systems and devices and intercepting and blocking the communications such as the case with an [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) attack.\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2.json b/ics-attack/attack-pattern/attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2.json index 78f07507f0..0af32706b6 100644 --- a/ics-attack/attack-pattern/attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2.json +++ b/ics-attack/attack-pattern/attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--18bd5a46-555b-4bf7-85db-818fa006ed6b", + "id": "bundle--0a5ceb4a-c725-4cbf-8316-3fe2375ba75a", "spec_version": "2.0", "objects": [ { @@ -35,7 +35,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], diff --git a/ics-attack/campaign/campaign--1169ff24-b35f-4d8d-8cf3-643a2834227f.json b/ics-attack/campaign/campaign--1169ff24-b35f-4d8d-8cf3-643a2834227f.json index 3163adc0b9..33f012786b 100644 --- a/ics-attack/campaign/campaign--1169ff24-b35f-4d8d-8cf3-643a2834227f.json +++ b/ics-attack/campaign/campaign--1169ff24-b35f-4d8d-8cf3-643a2834227f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ed10929d-8e5f-4176-a84d-b4776bdb95c4", + "id": "bundle--e27b5a68-ac41-445c-91d4-b21f2687bc9f", "spec_version": "2.0", "objects": [ { @@ -17,6 +17,7 @@ "x_mitre_deprecated": false, "x_mitre_version": "1.0", "type": "campaign", + "spec_version": "2.1", "id": "campaign--1169ff24-b35f-4d8d-8cf3-643a2834227f", "created": "2024-11-20T23:15:36.728Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -42,11 +43,7 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_domains": [ - "ics-attack", - "enterprise-attack" - ] + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/campaign/campaign--45a98f02-852f-49b2-94c0-c63207bebbbf.json b/ics-attack/campaign/campaign--45a98f02-852f-49b2-94c0-c63207bebbbf.json index 3a0402c234..51b6699964 100644 --- a/ics-attack/campaign/campaign--45a98f02-852f-49b2-94c0-c63207bebbbf.json +++ b/ics-attack/campaign/campaign--45a98f02-852f-49b2-94c0-c63207bebbbf.json @@ -1,22 +1,11 @@ { "type": "bundle", - "id": "bundle--3dc83f9b-bad8-4687-a7f4-858ba2f8dc90", + "id": "bundle--7cfff013-c592-4026-9115-1227b7ed0efa", "spec_version": "2.0", "objects": [ { - "modified": "2024-11-17T16:15:02.223Z", - "name": "Triton Safety Instrumented System Attack", - "description": "[Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030) was a campaign employed by [TEMP.Veles](https://attack.mitre.org/groups/G0088) which leveraged the [Triton](https://attack.mitre.org/software/S1009) malware framework against a petrochemical organization.(Citation: Triton-EENews-2017) The malware and techniques used within this campaign targeted specific Triconex [Safety Controller](https://attack.mitre.org/assets/A0010)s within the environment.(Citation: FireEye TRITON 2018) The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.(Citation: FireEye TRITON 2017)\n", - "aliases": [ - "Triton Safety Instrumented System Attack" - ], - "first_seen": "2017-06-01T04:00:00.000Z", - "last_seen": "2017-08-01T04:00:00.000Z", - "x_mitre_first_seen_citation": "(Citation: Triton-EENews-2017)", - "x_mitre_last_seen_citation": "(Citation: Triton-EENews-2017)", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", "type": "campaign", + "spec_version": "2.1", "id": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf", "created": "2024-03-25T17:47:37.619Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -46,12 +35,20 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", + "modified": "2026-04-23T00:24:57.457Z", + "name": "Triton Safety Instrumented System Attack", + "description": "[Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030) was a campaign employed by [TEMP.Veles](https://attack.mitre.org/groups/G0088) which leveraged the [Triton](https://attack.mitre.org/software/S1009) malware framework against a petrochemical organization.(Citation: Triton-EENews-2017) The malware and techniques used within this campaign targeted specific Triconex [Safety Controller](https://attack.mitre.org/assets/A0010)s within the environment.(Citation: FireEye TRITON 2018) The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.(Citation: FireEye TRITON 2017)\n", + "aliases": [ + "Triton Safety Instrumented System Attack" + ], + "first_seen": "2017-06-01T04:00:00.000Z", + "last_seen": "2017-08-01T04:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: Triton-EENews-2017)", + "x_mitre_last_seen_citation": "(Citation: Triton-EENews-2017)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_domains": [ - "ics-attack", - "enterprise-attack" - ] + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/campaign/campaign--46421788-b6e1-4256-b351-f8beffd1afba.json b/ics-attack/campaign/campaign--46421788-b6e1-4256-b351-f8beffd1afba.json index 0d474dc530..1f2a4d57e0 100644 --- a/ics-attack/campaign/campaign--46421788-b6e1-4256-b351-f8beffd1afba.json +++ b/ics-attack/campaign/campaign--46421788-b6e1-4256-b351-f8beffd1afba.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d5416395-e9fb-471d-8ab4-b77ec47086dd", + "id": "bundle--5c787ef4-39f2-41ee-b834-bbf2b59511f4", "spec_version": "2.0", "objects": [ { @@ -17,6 +17,7 @@ "x_mitre_deprecated": false, "x_mitre_version": "1.0", "type": "campaign", + "spec_version": "2.1", "id": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", "created": "2023-09-27T13:11:52.340Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -37,11 +38,7 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_domains": [ - "ics-attack", - "enterprise-attack" - ] + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/campaign/campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2.json b/ics-attack/campaign/campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2.json index 6e5c0add3c..006beea2fb 100644 --- a/ics-attack/campaign/campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2.json +++ b/ics-attack/campaign/campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--4e31ca54-88a5-48c1-abdb-d270ee8801c1", + "id": "bundle--5756eb1b-37cc-40d5-9c76-497f5d548646", "spec_version": "2.0", "objects": [ { "type": "campaign", + "spec_version": "2.1", "id": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", "created": "2022-09-20T20:53:14.373Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -47,10 +48,7 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": true, "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_domains": [ - "ics-attack" - ] + "x_mitre_attack_spec_version": "3.2.0" } ] } \ No newline at end of file diff --git a/ics-attack/campaign/campaign--70cab19e-1745-425e-b3db-c02cd5ff157a.json b/ics-attack/campaign/campaign--70cab19e-1745-425e-b3db-c02cd5ff157a.json index e565da716a..3791638d39 100644 --- a/ics-attack/campaign/campaign--70cab19e-1745-425e-b3db-c02cd5ff157a.json +++ b/ics-attack/campaign/campaign--70cab19e-1745-425e-b3db-c02cd5ff157a.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--71e7c7ad-6db5-4ec8-a861-704771654b95", + "id": "bundle--d40ddd17-c5d3-4df9-9a02-2f8e58a72a96", "spec_version": "2.0", "objects": [ { "type": "campaign", + "spec_version": "2.1", "id": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", "created": "2023-03-10T20:01:08.133Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -37,10 +38,7 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_domains": [ - "ics-attack" - ] + "x_mitre_attack_spec_version": "3.2.0" } ] } \ No newline at end of file diff --git a/ics-attack/campaign/campaign--8fda050f-470d-4401-994e-35c1a6c301de.json b/ics-attack/campaign/campaign--8fda050f-470d-4401-994e-35c1a6c301de.json index c7df4f7e1b..56335c32a3 100644 --- a/ics-attack/campaign/campaign--8fda050f-470d-4401-994e-35c1a6c301de.json +++ b/ics-attack/campaign/campaign--8fda050f-470d-4401-994e-35c1a6c301de.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--300d97a7-46c6-4898-9687-706ffdc48162", + "id": "bundle--867bdd42-76c8-4573-9ef6-44d9185ed44a", "spec_version": "2.0", "objects": [ { @@ -17,6 +17,7 @@ "x_mitre_deprecated": false, "x_mitre_version": "1.0", "type": "campaign", + "spec_version": "2.1", "id": "campaign--8fda050f-470d-4401-994e-35c1a6c301de", "created": "2024-03-25T19:58:53.090Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -47,10 +48,7 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_domains": [ - "ics-attack" - ] + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/campaign/campaign--a6aba167-5ada-4812-9da1-912c0e73335d.json b/ics-attack/campaign/campaign--a6aba167-5ada-4812-9da1-912c0e73335d.json new file mode 100644 index 0000000000..08b913d2cc --- /dev/null +++ b/ics-attack/campaign/campaign--a6aba167-5ada-4812-9da1-912c0e73335d.json @@ -0,0 +1,63 @@ +{ + "type": "bundle", + "id": "bundle--a8c87864-97f6-4a23-9f72-19ad06994522", + "spec_version": "2.0", + "objects": [ + { + "type": "campaign", + "spec_version": "2.1", + "id": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "created": "2026-04-22T19:33:22.532Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0063", + "external_id": "C0063" + }, + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + }, + { + "source_name": "ESET DynoWiper Update JAN 2026", + "description": "ESET. (2026, January 30). DynoWiper update: Technical analysis and attribution. Retrieved April 22, 2026.", + "url": "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/" + }, + { + "source_name": "ESET DynoWiper JAN 2026", + "description": "ESET. (2026, January 30). Russian Sandworm group attacks energy company in Poland with DynoWiper, ESET Research discovers. Retrieved April 22, 2026.", + "url": "https://www.eset.com/us/about/newsroom/research/eset-research-russian-sandwormapt-attacks-energy-company-poland-with-dynowiper/" + }, + { + "source_name": "Dragos ELECTRUM JAN 2026", + "description": "https://5943619.hs-sites.com/hubfs/Reports/dragos-2025-poland-attack-report.pdf. (2026, January). ELECTRUM: CYBER ATTACK ON POLAND\u2019S ELECTRIC SYSTEM 2025. Retrieved April 22, 2026.", + "url": "https://5943619.hs-sites.com/hubfs/Reports/dragos-2025-poland-attack-report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T23:21:30.984Z", + "name": "2025 Poland Wiper Attacks", + "description": "[2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063) is a Russian state-sponsored campaign that conducted destructive cyberattacks against Polish energy infrastructure in December 2025. Targets included more than 30 wind and photovoltaic farms, a combined heat and power (CHP) plant, and a manufacturing sector company. The attacks on the distributed energy resources (DER) disrupted communications between affected facilities and the distribution system operator, but did not impact electricity generation or heat supply. Across the campaign, threat actors deployed two previously undocumented wiper tools, [DynoWiper](https://attack.mitre.org/software/S9038), a Windows-based wiper and [LazyWiper](https://attack.mitre.org/software/S9039), a PowerShell wiper, distributed via malicious Group Policy Objects. At the CHP plant, threat actors had maintained access since at least March 2025, using that foothold to obtain credentials and move laterally before attempting wiper deployment. Some reporting has assessed the activity to be consistent with Russian Federal Security Service (FSB) threat activity group [Dragonfly](https://attack.mitre.org/groups/G0035), also tracked as STATIC TUNDRA, while other reporting attributes the destructive wiper activities to the Russian General Staff Main Intelligence Directorate (GRU) threat activity group ELECTRUM, also tracked as [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: CERT Polska)(Citation: Dragos ELECTRUM JAN 2026)(Citation: ESET DynoWiper JAN 2026)(Citation: ESET DynoWiper Update JAN 2026)", + "aliases": [ + "2025 Poland Wiper Attacks", + "2025 Poland Wiper Campaign" + ], + "first_seen": "2025-03-01T05:00:00.000Z", + "last_seen": "2025-12-01T05:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: CERT Polska)(Citation: Dragos ELECTRUM JAN 2026)", + "x_mitre_last_seen_citation": "(Citation: CERT Polska)(Citation: Dragos ELECTRUM JAN 2026)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/campaign/campaign--aa73efef-1418-4dbe-b43c-87a498e97234.json b/ics-attack/campaign/campaign--aa73efef-1418-4dbe-b43c-87a498e97234.json index 4bae0d8151..9edd3701d4 100644 --- a/ics-attack/campaign/campaign--aa73efef-1418-4dbe-b43c-87a498e97234.json +++ b/ics-attack/campaign/campaign--aa73efef-1418-4dbe-b43c-87a498e97234.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--a0733a2c-cbe8-4803-9441-b1b8e71cd31b", + "id": "bundle--55397b73-1f87-4041-934a-a8219da2f668", "spec_version": "2.0", "objects": [ { "type": "campaign", + "spec_version": "2.1", "id": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", "created": "2023-03-31T17:22:23.567Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -42,11 +43,7 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" - ] + "x_mitre_attack_spec_version": "3.2.0" } ] } \ No newline at end of file diff --git a/ics-attack/campaign/campaign--df8eb785-70f8-4300-b444-277ba849083d.json b/ics-attack/campaign/campaign--df8eb785-70f8-4300-b444-277ba849083d.json index fb77f9ab68..bb912b2319 100644 --- a/ics-attack/campaign/campaign--df8eb785-70f8-4300-b444-277ba849083d.json +++ b/ics-attack/campaign/campaign--df8eb785-70f8-4300-b444-277ba849083d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8d6495ce-1c6e-44eb-a876-3fbac7686942", + "id": "bundle--b4754cf7-a469-4107-8fdf-a901cd6dfe8b", "spec_version": "2.0", "objects": [ { @@ -17,6 +17,7 @@ "x_mitre_deprecated": false, "x_mitre_version": "1.0", "type": "campaign", + "spec_version": "2.1", "id": "campaign--df8eb785-70f8-4300-b444-277ba849083d", "created": "2024-03-27T19:43:25.703Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -42,11 +43,7 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" - ] + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea.json b/ics-attack/course-of-action/course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea.json index 31d73da021..ad3d114c06 100644 --- a/ics-attack/course-of-action/course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea.json +++ b/ics-attack/course-of-action/course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6b340abd-5131-4fa6-a5be-b5b0e6384204", + "id": "bundle--dd254643-54d7-4704-84b7-79207c123209", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17.json b/ics-attack/course-of-action/course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17.json index 8afa253d51..5e2d844a51 100644 --- a/ics-attack/course-of-action/course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17.json +++ b/ics-attack/course-of-action/course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ebdd544f-8161-4234-ad4d-6ab651ae7a20", + "id": "bundle--fecac774-38b8-4ff6-9efe-01b03fe16875", "spec_version": "2.0", "objects": [ { @@ -24,7 +24,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:26.074Z", + "modified": "2026-04-23T00:45:45.801Z", "name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. Perform inline allow/denylisting of network messages based on the application layer (OSI Layer 7) protocol, especially for automation protocols. Application allowlists are beneficial when there are well-defined communication sequences, types, rates, or patterns needed during expected system operations. Application denylists may be needed if all acceptable communication sequences cannot be defined, but instead a set of known malicious uses can be denied (e.g., excessive communication attempts, shutdown messages, invalid commands). Devices performing these functions are often referred to as deep-packet inspection (DPI) firewalls, context-aware firewalls, or firewalls blocking specific automation/SCADA protocol aware firewalls. (Citation: Centre for the Protection of National Infrastructure February 2005)", "labels": [ @@ -37,8 +37,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144.json b/ics-attack/course-of-action/course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144.json index 18ec3b552b..77c10191c4 100644 --- a/ics-attack/course-of-action/course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144.json +++ b/ics-attack/course-of-action/course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f14f5508-383b-4d06-8845-71d44733f255", + "id": "bundle--9151a807-00c5-4d33-af48-4dd66b3c38c0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517.json b/ics-attack/course-of-action/course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517.json index ae4743605c..b672828c42 100644 --- a/ics-attack/course-of-action/course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517.json +++ b/ics-attack/course-of-action/course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--759f6582-2f30-4c9a-b105-460b49a4d2ad", + "id": "bundle--78dc0bd5-50da-45ef-a14d-ad97018aa021", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291.json b/ics-attack/course-of-action/course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291.json index f986d54aa8..cfa29671e7 100644 --- a/ics-attack/course-of-action/course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291.json +++ b/ics-attack/course-of-action/course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--53cd2908-fd21-4034-9c76-cf20332443c1", + "id": "bundle--a7a354cb-be34-410a-ae75-11f15ceb1128", "spec_version": "2.0", "objects": [ { @@ -29,7 +29,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:26.551Z", + "modified": "2026-04-23T00:46:09.190Z", "name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a zone, and access to that zone is restricted by a conduit, or mechanism to restrict data flows between zones by segmenting the network. (Citation: IEC February 2019) (Citation: IEC August 2013)", "labels": [ @@ -42,8 +42,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3.json b/ics-attack/course-of-action/course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3.json index a06483b4f6..983b8b5bfd 100644 --- a/ics-attack/course-of-action/course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3.json +++ b/ics-attack/course-of-action/course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--077dd475-d1a9-4b2e-94e7-124376cbf4ea", + "id": "bundle--c7a16923-90e8-4e71-bf60-615c89b92442", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722.json b/ics-attack/course-of-action/course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722.json index 734dac9099..7fd061a27a 100644 --- a/ics-attack/course-of-action/course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722.json +++ b/ics-attack/course-of-action/course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7e63f87b-d8a7-4f62-9881-a5843521a31a", + "id": "bundle--751ba0f2-f911-4c7e-97af-9584e5302bed", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--3172222b-4983-43f7-8983-753ded4f13bc.json b/ics-attack/course-of-action/course-of-action--3172222b-4983-43f7-8983-753ded4f13bc.json index 44ea2c1057..3ef692ae57 100644 --- a/ics-attack/course-of-action/course-of-action--3172222b-4983-43f7-8983-753ded4f13bc.json +++ b/ics-attack/course-of-action/course-of-action--3172222b-4983-43f7-8983-753ded4f13bc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3bceddea-a99c-4038-90f9-c0871c94a052", + "id": "bundle--746b5da7-9726-4336-9781-feb38bbadd52", "spec_version": "2.0", "objects": [ { @@ -19,7 +19,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:27.092Z", + "modified": "2026-04-23T00:47:04.457Z", "name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries. In industrial control environments, network intrusion prevention should be configured so it will not disrupt protocols and communications responsible for real-time functions related to control or safety.", "labels": [ @@ -32,8 +32,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3.json b/ics-attack/course-of-action/course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3.json index 1e04f0695b..c8b3f9e430 100644 --- a/ics-attack/course-of-action/course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3.json +++ b/ics-attack/course-of-action/course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--996cfe0f-ddc3-4c96-a076-d339d34ff518", + "id": "bundle--9db2acf6-c872-4ed7-956f-cadc543198f1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5.json b/ics-attack/course-of-action/course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5.json index 143af74f6e..7f1904860f 100644 --- a/ics-attack/course-of-action/course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5.json +++ b/ics-attack/course-of-action/course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c2f63e7e-730d-4c46-9c10-3b6db0186022", + "id": "bundle--3fecec17-063d-4544-8e84-2792ecf9e1c6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3.json b/ics-attack/course-of-action/course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3.json index 6eccd416ef..525f6f61dc 100644 --- a/ics-attack/course-of-action/course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3.json +++ b/ics-attack/course-of-action/course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3.json @@ -1,22 +1,9 @@ { "type": "bundle", - "id": "bundle--28073f3a-d535-4895-ac77-7690bd3f0f39", + "id": "bundle--da859964-1bdf-4ddf-8638-6f43221a1f2d", "spec_version": "2.0", "objects": [ { - "modified": "2025-03-12T16:11:54.933Z", - "name": "Access Management", - "description": "Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provide sufficient capabilities to support user identification and authentication. (Citation: McCarthy, J et al. July 2018) These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials. (Citation: Centre for the Protection of National Infrastructure November 2010)", - "labels": [ - "IEC 62443-3-3:2013 - SR 2.1", - "IEC 62443-4-2:2019 - CR 2.1", - "NIST SP 800-53 Rev. 5 - AC-3" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "1.0", "type": "course-of-action", "id": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "created": "2020-09-11T16:32:21.854Z", @@ -42,8 +29,21 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "modified": "2026-04-23T00:47:44.798Z", + "name": "Access Management", + "description": "Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provide sufficient capabilities to support user identification and authentication. (Citation: McCarthy, J et al. July 2018) These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials. (Citation: Centre for the Protection of National Infrastructure November 2010)", + "labels": [ + "IEC 62443-3-3:2013 - SR 2.1", + "IEC 62443-4-2:2019 - CR 2.1", + "NIST SP 800-53 Rev. 5 - AC-3" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433.json b/ics-attack/course-of-action/course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433.json index 7b4aa91cc4..8235fe67a2 100644 --- a/ics-attack/course-of-action/course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433.json +++ b/ics-attack/course-of-action/course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bb9f5930-9dae-4160-b55c-59e49d9c35ff", + "id": "bundle--5e3fd311-c1a8-4bf8-bfcd-4ec21c8968c1", "spec_version": "2.0", "objects": [ { @@ -27,7 +27,8 @@ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.2.0", + "revoked": false } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--49363b74-d506-4342-bd63-320586ebadb9.json b/ics-attack/course-of-action/course-of-action--49363b74-d506-4342-bd63-320586ebadb9.json index 25eb9c3e0c..044acd5d8b 100644 --- a/ics-attack/course-of-action/course-of-action--49363b74-d506-4342-bd63-320586ebadb9.json +++ b/ics-attack/course-of-action/course-of-action--49363b74-d506-4342-bd63-320586ebadb9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a21acdd2-4330-4bc5-862a-d89769818a32", + "id": "bundle--3a4131b6-1386-45f6-a1f7-2af7f9b7b9f2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110.json b/ics-attack/course-of-action/course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110.json index e0d5ea6486..31f8f9199a 100644 --- a/ics-attack/course-of-action/course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110.json +++ b/ics-attack/course-of-action/course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--60a40879-a49c-4e7f-824f-7647529cbabf", + "id": "bundle--5d2f2c1d-b59a-453d-bd46-152ab3ad45ab", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30.json b/ics-attack/course-of-action/course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30.json index 6e6fbe57de..8f95a18fb3 100644 --- a/ics-attack/course-of-action/course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30.json +++ b/ics-attack/course-of-action/course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--adcddf6f-5a5f-4791-9f32-78ff1dc6fb4e", + "id": "bundle--76bd9499-e486-4b15-b257-f95013bbab0b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a.json b/ics-attack/course-of-action/course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a.json index 0f3c01c8fc..21937b44f6 100644 --- a/ics-attack/course-of-action/course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a.json +++ b/ics-attack/course-of-action/course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--db33a84e-485d-4122-9e5e-15fb90c4ec07", + "id": "bundle--a921c99c-6a1e-4645-b346-c383ee6d84e6", "spec_version": "2.0", "objects": [ { @@ -19,7 +19,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:28.312Z", + "modified": "2026-04-23T00:50:32.432Z", "name": "Static Network Configuration", "description": "Configure hosts and devices to use static network configurations when possible, protocols that require dynamic discovery/addressing (e.g., ARP, DHCP, DNS) can be used to manipulate network message forwarding and enable various AiTM attacks. This mitigation may not always be usable due to limited device features or challenges introduced with different network configurations.", "labels": [ @@ -32,8 +32,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.1", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65.json b/ics-attack/course-of-action/course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65.json index 92f62bdabd..fa3230ddfc 100644 --- a/ics-attack/course-of-action/course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65.json +++ b/ics-attack/course-of-action/course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--084fb81a-a88c-4120-9394-c29fa17745af", + "id": "bundle--96a80ae5-09ae-4338-8106-4a0a3ac6b296", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5.json b/ics-attack/course-of-action/course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5.json index e9858eb0b0..0202254d9c 100644 --- a/ics-attack/course-of-action/course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5.json +++ b/ics-attack/course-of-action/course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2efe678b-5be9-46eb-a374-cda5851b8a1b", + "id": "bundle--bffb8466-933c-4734-b24c-c1bee4c60a99", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0.json b/ics-attack/course-of-action/course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0.json index 1efaaebf57..df1e08a832 100644 --- a/ics-attack/course-of-action/course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0.json +++ b/ics-attack/course-of-action/course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0.json @@ -1,22 +1,9 @@ { "type": "bundle", - "id": "bundle--0c5a563b-9129-4f5d-be35-405907a7e0b0", + "id": "bundle--51dba6ac-a7a4-4e16-b165-6e887a94adef", "spec_version": "2.0", "objects": [ { - "modified": "2023-10-20T17:02:00.299Z", - "name": "Human User Authentication", - "description": "Require user authentication before allowing access to data or accepting commands to a device. While strong multi-factor authentication is preferable, it is not always feasible within ICS environments. Performing strong user authentication also requires additional security controls and processes which are often the target of related adversarial techniques (e.g., Valid Accounts, Default Credentials). Therefore, associated ATT&CK mitigations should be considered in addition to this, including [Multi-factor Authentication](https://attack.mitre.org/mitigations/M0932), [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), [User Account Management](https://attack.mitre.org/mitigations/M0918), [Privileged Account Management](https://attack.mitre.org/mitigations/M0926), and [User Account Control](https://attack.mitre.org/mitigations/M1052).", - "labels": [ - "IEC 62443-3-3:2013 - SR 1.1", - "IEC 62443-4-2:2019 - CR 1.1", - "NIST SP 800-53 Rev. 5 - IA-2" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "1.1", "type": "course-of-action", "id": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "created": "2020-09-11T16:32:21.854Z", @@ -32,8 +19,21 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "modified": "2026-04-23T00:50:55.165Z", + "name": "Human User Authentication", + "description": "Require user authentication before allowing access to data or accepting commands to a device. While strong multi-factor authentication is preferable, it is not always feasible within ICS environments. Performing strong user authentication also requires additional security controls and processes which are often the target of related adversarial techniques (e.g., Valid Accounts, Default Credentials). Therefore, associated ATT&CK mitigations should be considered in addition to this, including [Multi-factor Authentication](https://attack.mitre.org/mitigations/M0932), [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), [User Account Management](https://attack.mitre.org/mitigations/M0918), [Privileged Account Management](https://attack.mitre.org/mitigations/M0926), and [User Account Control](https://attack.mitre.org/mitigations/M1052).", + "labels": [ + "IEC 62443-3-3:2013 - SR 1.1", + "IEC 62443-4-2:2019 - CR 1.1", + "NIST SP 800-53 Rev. 5 - IA-2" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c.json b/ics-attack/course-of-action/course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c.json index 4c237157c8..ba44e27426 100644 --- a/ics-attack/course-of-action/course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c.json +++ b/ics-attack/course-of-action/course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4928ba02-3f88-46d6-8c08-2332336b0ee1", + "id": "bundle--41d18774-dfb0-4188-99af-5488e68a7434", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a.json b/ics-attack/course-of-action/course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a.json index eb2a807da0..99db92f80b 100644 --- a/ics-attack/course-of-action/course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a.json +++ b/ics-attack/course-of-action/course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8af02f0d-7166-4018-8456-72b3d5cb64d3", + "id": "bundle--1f2a69bf-f42b-401b-bd66-b58f79236b74", "spec_version": "2.0", "objects": [ { @@ -19,7 +19,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:28.975Z", + "modified": "2026-04-23T00:54:56.965Z", "name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "labels": [ @@ -32,8 +32,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549.json b/ics-attack/course-of-action/course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549.json index 9420373b57..21ef354941 100644 --- a/ics-attack/course-of-action/course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549.json +++ b/ics-attack/course-of-action/course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549.json @@ -1,22 +1,9 @@ { "type": "bundle", - "id": "bundle--de543b74-0fdb-4852-8717-32197beaf5a3", + "id": "bundle--29dfab53-5cb7-4bde-9ddd-1e393f0012fb", "spec_version": "2.0", "objects": [ { - "modified": "2024-10-14T20:31:04.927Z", - "name": "Software Process and Device Authentication", - "description": "Require the authentication of devices and software processes where appropriate. Devices that connect remotely to other systems should require strong authentication to prevent spoofing of communications. Furthermore, software processes should also require authentication when accessing APIs.", - "labels": [ - "IEC 62443-3-3:2013 - SR 1.2", - "IEC 62443-4-2:2019 - CR 1.2", - "NIST SP 800-53 Rev. 5 - IA-3" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "1.1", "type": "course-of-action", "id": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "created": "2019-06-06T21:16:18.709Z", @@ -32,8 +19,21 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "modified": "2026-04-23T00:55:20.765Z", + "name": "Software Process and Device Authentication", + "description": "Require the authentication of devices and software processes where appropriate. Devices that connect remotely to other systems should require strong authentication to prevent spoofing of communications. Furthermore, software processes should also require authentication when accessing APIs.", + "labels": [ + "IEC 62443-3-3:2013 - SR 1.2", + "IEC 62443-4-2:2019 - CR 1.2", + "NIST SP 800-53 Rev. 5 - IA-3" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a.json b/ics-attack/course-of-action/course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a.json index a6f471e517..19656ed5c5 100644 --- a/ics-attack/course-of-action/course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a.json +++ b/ics-attack/course-of-action/course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--63d257f4-49bd-41a7-a84b-a770c094e353", + "id": "bundle--46f3efe9-7a25-402e-9063-623bafbfe6c5", "spec_version": "2.0", "objects": [ { @@ -19,7 +19,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:29.147Z", + "modified": "2026-04-23T00:55:38.098Z", "name": "Encrypt Network Traffic", "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications.", "labels": [ @@ -32,8 +32,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02.json b/ics-attack/course-of-action/course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02.json index 7fcece3ed3..6e15b54e6e 100644 --- a/ics-attack/course-of-action/course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02.json +++ b/ics-attack/course-of-action/course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--016c8336-f525-4657-9553-698b9b4f3074", + "id": "bundle--52abcdef-5093-4879-8d85-2310e9b43d44", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7.json b/ics-attack/course-of-action/course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7.json index 5a158f8a42..389ebf10ea 100644 --- a/ics-attack/course-of-action/course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7.json +++ b/ics-attack/course-of-action/course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5e73c338-6763-4833-a630-f2eaf83cd0ee", + "id": "bundle--d1619096-55ac-42d2-89e9-a91b9aacdadb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405.json b/ics-attack/course-of-action/course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405.json index 243e7daf66..2c0760c87c 100644 --- a/ics-attack/course-of-action/course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405.json +++ b/ics-attack/course-of-action/course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f1fa548b-d840-42f3-84ea-39cd5b1e133d", + "id": "bundle--e93b939d-72d8-4354-8b86-c80560850c93", "spec_version": "2.0", "objects": [ { @@ -19,7 +19,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:29.725Z", + "modified": "2026-04-23T00:55:57.931Z", "name": "Boot Integrity", "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", "labels": [ @@ -31,8 +31,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401.json b/ics-attack/course-of-action/course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401.json index ae1c6901df..e8f248e1f4 100644 --- a/ics-attack/course-of-action/course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401.json +++ b/ics-attack/course-of-action/course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ea9bce0b-f3d9-4044-9eee-d1306361c991", + "id": "bundle--444bf43e-fea7-4c62-b69b-10261b2a12aa", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e.json b/ics-attack/course-of-action/course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e.json index d3fd1b6bcb..12b873e8fd 100644 --- a/ics-attack/course-of-action/course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e.json +++ b/ics-attack/course-of-action/course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--582439b7-1000-4c6f-8cc6-6bd7ea909429", + "id": "bundle--62919839-f4fd-4d8b-a578-f9c745413879", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53.json b/ics-attack/course-of-action/course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53.json index 1c3a289952..162f806114 100644 --- a/ics-attack/course-of-action/course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53.json +++ b/ics-attack/course-of-action/course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c422363b-45ae-447b-a556-68a9a0b9f346", + "id": "bundle--39ffd68d-a416-4b8b-9fb3-11747f7a4d06", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa.json b/ics-attack/course-of-action/course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa.json index eafda4494e..eef9707aef 100644 --- a/ics-attack/course-of-action/course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa.json +++ b/ics-attack/course-of-action/course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--99d70493-a851-499e-b623-a28bcdfa44f0", + "id": "bundle--b597871d-4ed2-4e86-bef2-4f180c25e065", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce.json b/ics-attack/course-of-action/course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce.json index ed8bcc167f..873de2fe91 100644 --- a/ics-attack/course-of-action/course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce.json +++ b/ics-attack/course-of-action/course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3b26d088-747f-4ccc-8562-48e021bd7d1f", + "id": "bundle--6ef795fd-4aac-4ece-ad4d-99052887b6b6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0.json b/ics-attack/course-of-action/course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0.json index 8c6d651f13..896f290ae6 100644 --- a/ics-attack/course-of-action/course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0.json +++ b/ics-attack/course-of-action/course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--203c60c5-2392-45fa-ad3a-a52ee6ffcb0c", + "id": "bundle--8c64c14b-f98c-44be-9464-96a42e59d632", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc.json b/ics-attack/course-of-action/course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc.json index e82e709a76..f3482c3ecf 100644 --- a/ics-attack/course-of-action/course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc.json +++ b/ics-attack/course-of-action/course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--24d00106-96d6-422d-b934-31537fb9f147", + "id": "bundle--040e9ac5-b639-4204-a2e7-621cd22354a7", "spec_version": "2.0", "objects": [ { @@ -19,7 +19,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:31.005Z", + "modified": "2026-04-23T00:56:16.357Z", "name": "Encrypt Sensitive Information", "description": "Protect sensitive data-at-rest with strong encryption.", "labels": [ @@ -32,8 +32,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a.json b/ics-attack/course-of-action/course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a.json index 5d63c1f944..eaca69f61f 100644 --- a/ics-attack/course-of-action/course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a.json +++ b/ics-attack/course-of-action/course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--75f6af64-1dce-4c32-bba7-4247ee869e3d", + "id": "bundle--873550e5-50bb-41eb-a905-9257244888ee", "spec_version": "2.0", "objects": [ { @@ -19,7 +19,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:31.149Z", + "modified": "2026-04-23T00:56:32.131Z", "name": "Network Allowlists", "description": "Network allowlists can be implemented through either host-based files or system hosts files to specify what connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.", "labels": [ @@ -30,8 +30,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c.json b/ics-attack/course-of-action/course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c.json index 8024064a0c..7e75966dc6 100644 --- a/ics-attack/course-of-action/course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c.json +++ b/ics-attack/course-of-action/course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--38f3c079-fa65-45b4-a7a3-7f77a00aab4e", + "id": "bundle--14f69e33-376c-44f1-9828-38d1a1d7d5e4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--ad12819e-3211-4291-b360-069f280cff0a.json b/ics-attack/course-of-action/course-of-action--ad12819e-3211-4291-b360-069f280cff0a.json index 142d2f87bd..3e461b1a3a 100644 --- a/ics-attack/course-of-action/course-of-action--ad12819e-3211-4291-b360-069f280cff0a.json +++ b/ics-attack/course-of-action/course-of-action--ad12819e-3211-4291-b360-069f280cff0a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8fa325df-0548-432a-9789-5f6e3d4c222c", + "id": "bundle--ee05aff3-83ea-4487-9c5e-e856310ee776", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e.json b/ics-attack/course-of-action/course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e.json index 17396e8159..37aeef15cf 100644 --- a/ics-attack/course-of-action/course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e.json +++ b/ics-attack/course-of-action/course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7721d174-1d8c-44af-aa32-73f11ab3e899", + "id": "bundle--5054b92a-5e9a-4ae6-b1aa-f9c62fc0248a", "spec_version": "2.0", "objects": [ { @@ -29,7 +29,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:31.696Z", + "modified": "2026-04-23T00:56:53.267Z", "name": "Out-of-Band Communications Channel", "description": "Have alternative methods to support communication requirements during communication failures and data integrity attacks. (Citation: National Institute of Standards and Technology April 2013) (Citation: Defense Advanced Research Projects Agency)", "labels": [ @@ -40,8 +40,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697.json b/ics-attack/course-of-action/course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697.json index dcdada61ba..6b3f9e39a3 100644 --- a/ics-attack/course-of-action/course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697.json +++ b/ics-attack/course-of-action/course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7216bf5a-d3d1-45c0-b41e-065018e48b67", + "id": "bundle--6bb452c8-9e34-46a4-afc4-d3f7ba60c920", "spec_version": "2.0", "objects": [ { @@ -19,7 +19,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:31.848Z", + "modified": "2026-04-23T00:54:39.756Z", "name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.", "labels": [ @@ -33,8 +33,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac.json b/ics-attack/course-of-action/course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac.json index dda51fdcc9..8b5df1711a 100644 --- a/ics-attack/course-of-action/course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac.json +++ b/ics-attack/course-of-action/course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--385308c0-ee27-43de-b0f7-3783ee7190b9", + "id": "bundle--8931bc3b-0eec-40f2-9d35-d13c0207864e", "spec_version": "2.0", "objects": [ { @@ -19,7 +19,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:32.013Z", + "modified": "2026-04-23T00:54:21.289Z", "name": "Communication Authenticity", "description": "When communicating over an untrusted network, utilize secure network protocols that both authenticate the message sender and can verify its integrity. This can be done either through message authentication codes (MACs) or digital signatures, to detect spoofed network messages and unauthorized connections.", "labels": [ @@ -32,8 +32,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--d0909119-2f71-4923-87db-b649881672d7.json b/ics-attack/course-of-action/course-of-action--d0909119-2f71-4923-87db-b649881672d7.json index baaf5496ee..ef61f6eb97 100644 --- a/ics-attack/course-of-action/course-of-action--d0909119-2f71-4923-87db-b649881672d7.json +++ b/ics-attack/course-of-action/course-of-action--d0909119-2f71-4923-87db-b649881672d7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a563e221-ceb1-4bbf-9357-5ad32e853945", + "id": "bundle--e649e682-8c7f-454a-a2b8-9e5232661a18", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--d48b79b2-076d-483e-949c-0d38aa347499.json b/ics-attack/course-of-action/course-of-action--d48b79b2-076d-483e-949c-0d38aa347499.json index 8558925076..0d5a1fc5f7 100644 --- a/ics-attack/course-of-action/course-of-action--d48b79b2-076d-483e-949c-0d38aa347499.json +++ b/ics-attack/course-of-action/course-of-action--d48b79b2-076d-483e-949c-0d38aa347499.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6359aaf8-b6f5-4959-bc88-7cb24faee6c2", + "id": "bundle--aa3b6f65-54b6-420c-9c5a-c4ad9644e9bd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--da44255d-85c5-492c-baf3-ee823d44f848.json b/ics-attack/course-of-action/course-of-action--da44255d-85c5-492c-baf3-ee823d44f848.json index f9ddb56415..304c499a6a 100644 --- a/ics-attack/course-of-action/course-of-action--da44255d-85c5-492c-baf3-ee823d44f848.json +++ b/ics-attack/course-of-action/course-of-action--da44255d-85c5-492c-baf3-ee823d44f848.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7f123edb-c3ce-45ad-a391-cfcef9b8638f", + "id": "bundle--b300f9f0-ab31-4566-8cec-4d843d62fc55", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba.json b/ics-attack/course-of-action/course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba.json index d420dd5a92..325ba8d68f 100644 --- a/ics-attack/course-of-action/course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba.json +++ b/ics-attack/course-of-action/course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c07de482-b85f-4c54-80f6-8d6abb1e66b0", + "id": "bundle--ba7caa7b-107b-4403-aa9e-c06252c555a8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd.json b/ics-attack/course-of-action/course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd.json index 934ac58e42..8ab560a4d7 100644 --- a/ics-attack/course-of-action/course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd.json +++ b/ics-attack/course-of-action/course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--03ba5afb-6a55-4020-8e92-3ae7088317ea", + "id": "bundle--b13bc701-75b8-4bd5-ac22-e208aa7bb1d5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037.json b/ics-attack/course-of-action/course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037.json index 8c3c681209..e298884195 100644 --- a/ics-attack/course-of-action/course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037.json +++ b/ics-attack/course-of-action/course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--476c7358-e1a7-44e5-a238-e1c21ad46036", + "id": "bundle--292afc5c-c5da-4d59-bec9-f3fbb327b0d8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd.json b/ics-attack/course-of-action/course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd.json index 549f39c060..3401685ff6 100644 --- a/ics-attack/course-of-action/course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd.json +++ b/ics-attack/course-of-action/course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd.json @@ -1,22 +1,9 @@ { "type": "bundle", - "id": "bundle--33b08f81-3cc0-4502-af7d-d315967d6e74", + "id": "bundle--c7070e5e-d3a8-4c7b-adf3-b002270a8025", "spec_version": "2.0", "objects": [ { - "modified": "2023-10-20T17:01:38.562Z", - "name": "Authorization Enforcement", - "description": "The device or system should restrict read, manipulate, or execute privileges to only authenticated users who require access based on approved security policies. Role-based Access Control (RBAC) schemes can help reduce the overhead of assigning permissions to the large number of devices within an ICS. For example, IEC 62351 provides examples of roles used to support common system operations within the electric power sector (Citation: International Electrotechnical Commission July 2020), while IEEE 1686 defines standard permissions for users of IEDs. (Citation: Institute of Electrical and Electronics Engineers January 2014)", - "labels": [ - "IEC 62443-3-3:2013 - SR 2.1", - "IEC 62443-4-2:2019 - CR 2.1", - "NIST SP 800-53 Rev. 5 - AC-3" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "1.1", "type": "course-of-action", "id": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "created": "2020-09-11T16:32:21.854Z", @@ -42,8 +29,21 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "modified": "2026-04-23T00:54:03.965Z", + "name": "Authorization Enforcement", + "description": "The device or system should restrict read, manipulate, or execute privileges to only authenticated users who require access based on approved security policies. Role-based Access Control (RBAC) schemes can help reduce the overhead of assigning permissions to the large number of devices within an ICS. For example, IEC 62351 provides examples of roles used to support common system operations within the electric power sector (Citation: International Electrotechnical Commission July 2020), while IEEE 1686 defines standard permissions for users of IEDs. (Citation: Institute of Electrical and Electronics Engineers January 2014)", + "labels": [ + "IEC 62443-3-3:2013 - SR 2.1", + "IEC 62443-4-2:2019 - CR 2.1", + "NIST SP 800-53 Rev. 5 - AC-3" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48.json b/ics-attack/course-of-action/course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48.json index a8a304e1e9..3ec03f7a9a 100644 --- a/ics-attack/course-of-action/course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48.json +++ b/ics-attack/course-of-action/course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--29733008-6a4d-44b9-bbd7-7a137029b804", + "id": "bundle--c02f521b-4810-4b85-b657-d2c2b5ce3d22", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd.json b/ics-attack/course-of-action/course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd.json index 806e12e83b..9245e54db5 100644 --- a/ics-attack/course-of-action/course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd.json +++ b/ics-attack/course-of-action/course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--46f4298a-11dd-4c5a-90fc-a4335ad7df2e", + "id": "bundle--d9dfa430-f7a7-4ad5-a5e8-1f4c3f730805", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971.json b/ics-attack/course-of-action/course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971.json index 5feee0cd8a..daa317512a 100644 --- a/ics-attack/course-of-action/course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971.json +++ b/ics-attack/course-of-action/course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a2266b5f-bcaa-45b4-b399-714f60d88a84", + "id": "bundle--92afb04b-446d-4a3d-8525-9cd294efdf05", "spec_version": "2.0", "objects": [ { @@ -19,7 +19,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:33.651Z", + "modified": "2026-04-23T00:57:09.061Z", "name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "labels": [ @@ -32,8 +32,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21.json b/ics-attack/course-of-action/course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21.json index c323b96404..6a7c8957d9 100644 --- a/ics-attack/course-of-action/course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21.json +++ b/ics-attack/course-of-action/course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2d919248-467f-42df-b42f-f80e27603324", + "id": "bundle--dc5705a2-2f49-47ef-aa88-286dc03fb7d7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7.json b/ics-attack/course-of-action/course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7.json index ceaa407a0d..8eacba3bc3 100644 --- a/ics-attack/course-of-action/course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7.json +++ b/ics-attack/course-of-action/course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ee6d3e6b-c357-439b-bc36-d322b8d9165e", + "id": "bundle--75637622-c87c-42cf-9f72-185f95cd34c4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e.json b/ics-attack/course-of-action/course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e.json index 9959ce2eda..c3c87324da 100644 --- a/ics-attack/course-of-action/course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e.json +++ b/ics-attack/course-of-action/course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0efcc259-c516-4790-be8f-2fc5bd5caa6c", + "id": "bundle--d517ce5d-7411-4a5f-baf8-6cf51fc4cd65", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/ics-attack.json b/ics-attack/ics-attack.json index 0c10e87a01..046e832a3d 100644 --- a/ics-attack/ics-attack.json +++ b/ics-attack/ics-attack.json @@ -1,25 +1,26 @@ { "type": "bundle", - "id": "bundle--3a9ade1d-5f58-4050-9d66-13dc9d4e17e3", + "id": "bundle--93b0ce3a-4df3-475e-8a2a-549fe8f3f0b0", "objects": [ { "type": "x-mitre-matrix", "id": "x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", - "url": "https://attack.mitre.org/matrices/ics/", + "url": "https://attack.mitre.org/matrices/ics-attack", "external_id": "ics-attack" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-25T14:39:11.147Z", + "modified": "2026-04-14T17:36:35.980Z", "name": "ATT&CK for ICS", - "description": "The full ATT&CK for ICS Matrix includes techniques spanning various ICS assets and can be used to navigate through the knowledge base.", + "description": "Below are the tactics and techniques representing the MITRE ATT&CK Matrix for ICS.", "tactic_refs": [ "x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a", "x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45", @@ -36,11 +37,8 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "course-of-action", @@ -95,7 +93,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:26.074Z", + "modified": "2026-04-23T00:45:45.801Z", "name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. Perform inline allow/denylisting of network messages based on the application layer (OSI Layer 7) protocol, especially for automation protocols. Application allowlists are beneficial when there are well-defined communication sequences, types, rates, or patterns needed during expected system operations. Application denylists may be needed if all acceptable communication sequences cannot be defined, but instead a set of known malicious uses can be denied (e.g., excessive communication attempts, shutdown messages, invalid commands). Devices performing these functions are often referred to as deep-packet inspection (DPI) firewalls, context-aware firewalls, or firewalls blocking specific automation/SCADA protocol aware firewalls. (Citation: Centre for the Protection of National Infrastructure February 2005)", "labels": [ @@ -108,8 +106,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "course-of-action", @@ -208,7 +206,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:26.551Z", + "modified": "2026-04-23T00:46:09.190Z", "name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a zone, and access to that zone is restricted by a conduit, or mechanism to restrict data flows between zones by segmenting the network. (Citation: IEC February 2019) (Citation: IEC August 2013)", "labels": [ @@ -221,8 +219,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "course-of-action", @@ -298,7 +296,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:27.092Z", + "modified": "2026-04-23T00:47:04.457Z", "name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries. In industrial control environments, network intrusion prevention should be configured so it will not disrupt protocols and communications responsible for real-time functions related to control or safety.", "labels": [ @@ -311,8 +309,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "course-of-action", @@ -377,19 +375,6 @@ "x_mitre_attack_spec_version": "3.2.0" }, { - "modified": "2025-03-12T16:11:54.933Z", - "name": "Access Management", - "description": "Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provide sufficient capabilities to support user identification and authentication. (Citation: McCarthy, J et al. July 2018) These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials. (Citation: Centre for the Protection of National Infrastructure November 2010)", - "labels": [ - "IEC 62443-3-3:2013 - SR 2.1", - "IEC 62443-4-2:2019 - CR 2.1", - "NIST SP 800-53 Rev. 5 - AC-3" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "1.0", "type": "course-of-action", "id": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "created": "2020-09-11T16:32:21.854Z", @@ -415,8 +400,21 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "modified": "2026-04-23T00:47:44.798Z", + "name": "Access Management", + "description": "Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provide sufficient capabilities to support user identification and authentication. (Citation: McCarthy, J et al. July 2018) These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials. (Citation: Centre for the Protection of National Infrastructure November 2010)", + "labels": [ + "IEC 62443-3-3:2013 - SR 2.1", + "IEC 62443-4-2:2019 - CR 2.1", + "NIST SP 800-53 Rev. 5 - AC-3" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "course-of-action", @@ -442,7 +440,8 @@ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.2.0", + "revoked": false }, { "type": "course-of-action", @@ -556,7 +555,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:28.312Z", + "modified": "2026-04-23T00:50:32.432Z", "name": "Static Network Configuration", "description": "Configure hosts and devices to use static network configurations when possible, protocols that require dynamic discovery/addressing (e.g., ARP, DHCP, DNS) can be used to manipulate network message forwarding and enable various AiTM attacks. This mitigation may not always be usable due to limited device features or challenges introduced with different network configurations.", "labels": [ @@ -569,8 +568,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.1", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "course-of-action", @@ -637,19 +636,6 @@ "x_mitre_attack_spec_version": "3.2.0" }, { - "modified": "2023-10-20T17:02:00.299Z", - "name": "Human User Authentication", - "description": "Require user authentication before allowing access to data or accepting commands to a device. While strong multi-factor authentication is preferable, it is not always feasible within ICS environments. Performing strong user authentication also requires additional security controls and processes which are often the target of related adversarial techniques (e.g., Valid Accounts, Default Credentials). Therefore, associated ATT&CK mitigations should be considered in addition to this, including [Multi-factor Authentication](https://attack.mitre.org/mitigations/M0932), [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), [User Account Management](https://attack.mitre.org/mitigations/M0918), [Privileged Account Management](https://attack.mitre.org/mitigations/M0926), and [User Account Control](https://attack.mitre.org/mitigations/M1052).", - "labels": [ - "IEC 62443-3-3:2013 - SR 1.1", - "IEC 62443-4-2:2019 - CR 1.1", - "NIST SP 800-53 Rev. 5 - IA-2" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "1.1", "type": "course-of-action", "id": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "created": "2020-09-11T16:32:21.854Z", @@ -665,8 +651,21 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "modified": "2026-04-23T00:50:55.165Z", + "name": "Human User Authentication", + "description": "Require user authentication before allowing access to data or accepting commands to a device. While strong multi-factor authentication is preferable, it is not always feasible within ICS environments. Performing strong user authentication also requires additional security controls and processes which are often the target of related adversarial techniques (e.g., Valid Accounts, Default Credentials). Therefore, associated ATT&CK mitigations should be considered in addition to this, including [Multi-factor Authentication](https://attack.mitre.org/mitigations/M0932), [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), [User Account Management](https://attack.mitre.org/mitigations/M0918), [Privileged Account Management](https://attack.mitre.org/mitigations/M0926), and [User Account Control](https://attack.mitre.org/mitigations/M1052).", + "labels": [ + "IEC 62443-3-3:2013 - SR 1.1", + "IEC 62443-4-2:2019 - CR 1.1", + "NIST SP 800-53 Rev. 5 - IA-2" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "course-of-action", @@ -710,7 +709,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:28.975Z", + "modified": "2026-04-23T00:54:56.965Z", "name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "labels": [ @@ -723,23 +722,10 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" }, { - "modified": "2024-10-14T20:31:04.927Z", - "name": "Software Process and Device Authentication", - "description": "Require the authentication of devices and software processes where appropriate. Devices that connect remotely to other systems should require strong authentication to prevent spoofing of communications. Furthermore, software processes should also require authentication when accessing APIs.", - "labels": [ - "IEC 62443-3-3:2013 - SR 1.2", - "IEC 62443-4-2:2019 - CR 1.2", - "NIST SP 800-53 Rev. 5 - IA-3" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "1.1", "type": "course-of-action", "id": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "created": "2019-06-06T21:16:18.709Z", @@ -755,8 +741,21 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "modified": "2026-04-23T00:55:20.765Z", + "name": "Software Process and Device Authentication", + "description": "Require the authentication of devices and software processes where appropriate. Devices that connect remotely to other systems should require strong authentication to prevent spoofing of communications. Furthermore, software processes should also require authentication when accessing APIs.", + "labels": [ + "IEC 62443-3-3:2013 - SR 1.2", + "IEC 62443-4-2:2019 - CR 1.2", + "NIST SP 800-53 Rev. 5 - IA-3" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "course-of-action", @@ -774,7 +773,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:29.147Z", + "modified": "2026-04-23T00:55:38.098Z", "name": "Encrypt Network Traffic", "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications.", "labels": [ @@ -787,8 +786,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "course-of-action", @@ -869,7 +868,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:29.725Z", + "modified": "2026-04-23T00:55:57.931Z", "name": "Boot Integrity", "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", "labels": [ @@ -881,8 +880,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "course-of-action", @@ -1085,7 +1084,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:31.005Z", + "modified": "2026-04-23T00:56:16.357Z", "name": "Encrypt Sensitive Information", "description": "Protect sensitive data-at-rest with strong encryption.", "labels": [ @@ -1098,8 +1097,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "course-of-action", @@ -1117,7 +1116,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:31.149Z", + "modified": "2026-04-23T00:56:32.131Z", "name": "Network Allowlists", "description": "Network allowlists can be implemented through either host-based files or system hosts files to specify what connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.", "labels": [ @@ -1128,8 +1127,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "course-of-action", @@ -1225,7 +1224,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:31.696Z", + "modified": "2026-04-23T00:56:53.267Z", "name": "Out-of-Band Communications Channel", "description": "Have alternative methods to support communication requirements during communication failures and data integrity attacks. (Citation: National Institute of Standards and Technology April 2013) (Citation: Defense Advanced Research Projects Agency)", "labels": [ @@ -1236,8 +1235,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "course-of-action", @@ -1255,7 +1254,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:31.848Z", + "modified": "2026-04-23T00:54:39.756Z", "name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.", "labels": [ @@ -1269,8 +1268,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "course-of-action", @@ -1288,7 +1287,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:32.013Z", + "modified": "2026-04-23T00:54:21.289Z", "name": "Communication Authenticity", "description": "When communicating over an untrusted network, utilize secure network protocols that both authenticate the message sender and can verify its integrity. This can be done either through message authentication codes (MACs) or digital signatures, to detect spoofed network messages and unauthorized connections.", "labels": [ @@ -1301,8 +1300,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "course-of-action", @@ -1486,19 +1485,6 @@ "x_mitre_attack_spec_version": "3.2.0" }, { - "modified": "2023-10-20T17:01:38.562Z", - "name": "Authorization Enforcement", - "description": "The device or system should restrict read, manipulate, or execute privileges to only authenticated users who require access based on approved security policies. Role-based Access Control (RBAC) schemes can help reduce the overhead of assigning permissions to the large number of devices within an ICS. For example, IEC 62351 provides examples of roles used to support common system operations within the electric power sector (Citation: International Electrotechnical Commission July 2020), while IEEE 1686 defines standard permissions for users of IEDs. (Citation: Institute of Electrical and Electronics Engineers January 2014)", - "labels": [ - "IEC 62443-3-3:2013 - SR 2.1", - "IEC 62443-4-2:2019 - CR 2.1", - "NIST SP 800-53 Rev. 5 - AC-3" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "1.1", "type": "course-of-action", "id": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "created": "2020-09-11T16:32:21.854Z", @@ -1524,8 +1510,21 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "modified": "2026-04-23T00:54:03.965Z", + "name": "Authorization Enforcement", + "description": "The device or system should restrict read, manipulate, or execute privileges to only authenticated users who require access based on approved security policies. Role-based Access Control (RBAC) schemes can help reduce the overhead of assigning permissions to the large number of devices within an ICS. For example, IEC 62351 provides examples of roles used to support common system operations within the electric power sector (Citation: International Electrotechnical Commission July 2020), while IEEE 1686 defines standard permissions for users of IEDs. (Citation: Institute of Electrical and Electronics Engineers January 2014)", + "labels": [ + "IEC 62443-3-3:2013 - SR 2.1", + "IEC 62443-4-2:2019 - CR 2.1", + "NIST SP 800-53 Rev. 5 - AC-3" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "course-of-action", @@ -1605,7 +1604,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:33.651Z", + "modified": "2026-04-23T00:57:09.061Z", "name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "labels": [ @@ -1618,8 +1617,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "course-of-action", @@ -1848,22 +1847,6 @@ ] }, { - "modified": "2025-01-02T19:40:26.678Z", - "name": "Stuxnet", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) ", - "x_mitre_platforms": [ - "Windows" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" - ], - "x_mitre_version": "1.4", - "x_mitre_aliases": [ - "Stuxnet", - "W32.Stuxnet" - ], "type": "malware", "id": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "created": "2020-12-14T17:34:58.457Z", @@ -1903,8 +1886,24 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", + "modified": "2026-04-24T02:36:25.135Z", + "name": "Stuxnet", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex malware that utilized multiple behaviors, including numerous zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.5", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_aliases": [ + "Stuxnet", + "W32.Stuxnet" + ], "labels": [ "malware" ] @@ -2207,7 +2206,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:24.423Z", + "modified": "2026-04-23T14:17:13.861Z", "name": "PLC-Blaster", "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) is a piece of proof-of-concept malware that runs on Siemens S7 PLCs. This worm locates other Siemens S7 PLCs on the network and attempts to infect them. Once this worm has infected its target and attempted to infect other devices on the network, the worm can then run one of many modules. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016) (Citation: Spenneberg, Ralf 2016) ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -2215,8 +2214,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0", "x_mitre_aliases": [ "PLC-Blaster" ], @@ -2407,24 +2406,6 @@ ] }, { - "modified": "2023-10-17T20:05:34.648Z", - "name": "LockerGoga", - "description": "[LockerGoga](https://attack.mitre.org/software/S0372) is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019)", - "x_mitre_platforms": [ - "Windows" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" - ], - "x_mitre_version": "2.0", - "x_mitre_contributors": [ - "Joe Slowik - Dragos" - ], - "x_mitre_aliases": [ - "LockerGoga" - ], "type": "malware", "id": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", "created": "2019-04-16T19:00:49.435Z", @@ -2450,8 +2431,26 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", + "modified": "2026-04-22T22:21:12.036Z", + "name": "LockerGoga", + "description": "[LockerGoga](https://attack.mitre.org/software/S0372) is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "2.1", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_contributors": [ + "Joe Slowik - Dragos" + ], + "x_mitre_aliases": [ + "LockerGoga" + ], "labels": [ "malware" ] @@ -2725,19 +2724,6 @@ ] }, { - "modified": "2024-04-17T16:12:43.754Z", - "name": "Triton", - "description": "[Triton](https://attack.mitre.org/software/S1009) is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.(Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017)(Citation: Dragos December 2017)(Citation: DHS CISA February 2019)(Citation: Schneider Electric January 2018)(Citation: Julian Gutmanis March 2019)(Citation: Schneider December 2018)(Citation: Jos Wetzels January 2018)", - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "1.1", - "x_mitre_aliases": [ - "Triton", - "TRISIS", - "HatMan" - ], "type": "malware", "id": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "created": "2019-03-26T15:02:14.907Z", @@ -2788,8 +2774,21 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", + "modified": "2026-04-22T20:06:22.741Z", + "name": "Triton", + "description": "[Triton](https://attack.mitre.org/software/S1009) is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.(Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017)(Citation: Dragos December 2017)(Citation: DHS CISA February 2019)(Citation: Schneider Electric January 2018)(Citation: Julian Gutmanis March 2019)(Citation: Schneider December 2018)(Citation: Jos Wetzels January 2018)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_aliases": [ + "Triton", + "TRISIS", + "HatMan" + ], "labels": [ "malware" ] @@ -3255,22 +3254,22 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:25.242Z", + "modified": "2026-04-23T14:06:34.251Z", "name": "INCONTROLLER", "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) is custom malware that includes multiple modules tailored towards ICS devices and technologies, including Schneider Electric and Omron PLCs as well as OPC UA, Modbus, and CODESYS protocols. [INCONTROLLER](https://attack.mitre.org/software/S1045) has the ability to discover specific devices, download logic on the devices, and exploit platform-specific vulnerabilities. As of September 2022, some security researchers assessed [INCONTROLLER](https://attack.mitre.org/software/S1045) was developed by CHERNOVITE.(Citation: CISA-AA22-103A)(Citation: Brubaker-Incontroller)(Citation: Dragos-Pipedream)(Citation: Schneider-Incontroller)(Citation: Wylie-22) ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ + "Engineering Workstation", "Field Controller/RTU/PLC/IED", "Safety Instrumented System/Protection Relay", - "Engineering Workstation", "Windows" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0", "x_mitre_contributors": [ "Jimmy Wylie, Dragos, Inc." ], @@ -3346,27 +3345,6 @@ ] }, { - "modified": "2024-04-11T16:06:34.700Z", - "name": "Industroyer", - "description": "[Industroyer](https://attack.mitre.org/software/S0604) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.(Citation: ESET Industroyer) [Industroyer](https://attack.mitre.org/software/S0604) was used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride 2017) This is the first publicly known malware specifically designed to target and impact operations in the electric grid.(Citation: Dragos Crashoverride 2018)", - "x_mitre_platforms": [ - "Windows" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" - ], - "x_mitre_version": "1.1", - "x_mitre_contributors": [ - "Dragos Threat Intelligence", - "Joe Slowik - Dragos" - ], - "x_mitre_aliases": [ - "Industroyer", - "CRASHOVERRIDE", - "Win32/Industroyer" - ], "type": "malware", "id": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "created": "2021-01-04T20:42:21.997Z", @@ -3405,8 +3383,29 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", + "modified": "2026-04-23T14:11:53.057Z", + "name": "Industroyer", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.(Citation: ESET Industroyer) [Industroyer](https://attack.mitre.org/software/S0604) was used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride 2017) This is the first publicly known malware specifically designed to target and impact operations in the electric grid.(Citation: Dragos Crashoverride 2018)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_contributors": [ + "Dragos Threat Intelligence", + "Joe Slowik - Dragos" + ], + "x_mitre_aliases": [ + "Industroyer", + "CRASHOVERRIDE", + "Win32/Industroyer" + ], "labels": [ "malware" ] @@ -3813,7 +3812,7 @@ "id": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, + "revoked": true, "external_references": [ { "source_name": "mitre-attack", @@ -3834,7 +3833,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-15T19:58:01.218Z", + "modified": "2026-04-20T20:58:37.791Z", "name": "Block Command Message", "description": "Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", "kill_chain_phases": [ @@ -3845,7 +3844,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -3888,7 +3886,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -3926,7 +3923,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -3969,7 +3965,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -4029,7 +4024,6 @@ "ICSCoE Japan" ], "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -4082,7 +4076,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -4093,6 +4086,50 @@ ], "x_mitre_version": "1.0" }, + { + "type": "attack-pattern", + "id": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", + "created": "2026-04-20T20:54:16.029Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1691/001", + "external_id": "T1691.001" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + }, + { + "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", + "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T18:50:42.389Z", + "name": "Command Message", + "description": "Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)(Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, { "type": "attack-pattern", "id": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", @@ -4131,8 +4168,7 @@ "None" ], "x_mitre_version": "1.0", - "revoked": false, - "x_mitre_detection": "" + "revoked": false }, { "type": "attack-pattern", @@ -4176,7 +4212,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -4234,7 +4269,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -4250,7 +4284,7 @@ "id": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, + "revoked": true, "external_references": [ { "source_name": "mitre-attack", @@ -4261,7 +4295,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:10.923Z", + "modified": "2026-04-20T20:58:51.323Z", "name": "Block Serial COM", "description": "Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages. \n\nA serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available -- 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at 10.0.0.1 via Telnet on serial port 1 with the following command: telnet 10.0.0.1 20001.", "kill_chain_phases": [ @@ -4272,7 +4306,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -4325,7 +4358,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -4362,7 +4394,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -4409,7 +4440,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -4455,7 +4485,6 @@ "Jos Wetzels - Midnight Blue" ], "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -4493,7 +4522,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -4546,7 +4574,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -4612,7 +4639,6 @@ "Scott Dougherty" ], "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -4674,7 +4700,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -4721,7 +4746,6 @@ "Jos Wetzels - Midnight Blue" ], "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -4779,7 +4803,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -4817,7 +4840,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -4863,8 +4885,7 @@ "None" ], "x_mitre_version": "1.0", - "revoked": false, - "x_mitre_detection": "" + "revoked": false }, { "type": "attack-pattern", @@ -4893,7 +4914,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -4931,7 +4951,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -4977,8 +4996,7 @@ "None" ], "x_mitre_version": "1.0", - "revoked": false, - "x_mitre_detection": "" + "revoked": false }, { "type": "attack-pattern", @@ -5007,7 +5025,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -5018,6 +5035,50 @@ ], "x_mitre_version": "1.0" }, + { + "type": "attack-pattern", + "id": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "created": "2026-04-20T20:50:34.107Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1691", + "external_id": "T1691" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + }, + { + "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", + "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T18:49:15.673Z", + "name": "Block Operational Technology Message", + "description": "Adversaries may block messages between systems and devices in an OT/ICS environment to disrupt processes. Messages typically fall into two categories: (1) reporting messages that contain telemetry data about the current state of systems, devices, and processes and (2) command messages that contain instructions to control systems, devices, and processes. Both types of messages are critical for the proper functioning of industrial control processes and failure of the messages to reach their intended destinations could inhibit response functions or create an unsafe condition that could have physical impacts.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)(Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)\n\nAdversaries may block communications by either making modifications to software ([System Firmware](https://attack.mitre.org/techniques/T0857), [Module Firmware](https://attack.mitre.org/techniques/T0839), [Hooking](https://attack.mitre.org/techniques/T0874), and [Rootkit](https://attack.mitre.org/techniques/T0851)) and services ([Service Stop](https://attack.mitre.org/techniques/T0881), [Denial of Service](https://attack.mitre.org/techniques/T0814)) on systems and devices or by positioning themselves between systems and devices and intercepting and blocking the communications such as the case with an [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) attack.\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, { "type": "attack-pattern", "id": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", @@ -5055,7 +5116,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -5098,7 +5158,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -5109,6 +5168,45 @@ ], "x_mitre_version": "1.2" }, + { + "type": "attack-pattern", + "id": "attack-pattern--354ca909-b54d-4c41-b597-9c296b344a43", + "created": "2026-04-20T20:54:20.103Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0873/001", + "external_id": "T0873.001" + }, + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", + "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:37:43.545Z", + "name": "Siemens Project File Format", + "description": "Adversaries may infect Siemens PLC project files (i.e., Step 7, WinCC, etc.) to achieve [Execution](https://attack.mitre.org/tactics/TA0104), [Persistence](https://attack.mitre.org/tactics/TA0110), and [Lateral Movement](https://attack.mitre.org/tactics/TA0109) objectives. Adversaries may modify an existing project file or bring their own project files into the environment.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)\n\nThe ability for an adversary to deploy an infected project file relies on access to a workstation with Siemens PLC programming software installed on it from which a program download can be performed.\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, { "type": "attack-pattern", "id": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", @@ -5146,7 +5244,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -5189,7 +5286,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -5236,7 +5332,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -5274,7 +5369,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -5285,12 +5379,65 @@ ], "x_mitre_version": "1.1" }, + { + "type": "attack-pattern", + "id": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "created": "2026-04-20T20:50:35.222Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1694", + "external_id": "T1694" + }, + { + "source_name": "ICS-ALERT-13-164-01", + "description": "Cybersecurity and Infrastructure Security Agency (CISA). (2013, October 29). Medical Devices Hard-Coded Passwords. Retrieved April 23, 2026.", + "url": "https://www.cisa.gov/news-events/ics-alerts/ics-alert-13-164-01" + }, + { + "source_name": "OT IceFall", + "description": "Forescout Vedere Labs. (2022, June). OT: IceFall Report. Retrieved April 23, 2026.", + "url": "https://www.forescout.com/resources/ot-icefall-report/" + }, + { + "source_name": "NIST SP 800-82r3", + "description": "Keith Stouffer. (2023, September). Guide to Operational Technology (OT) Security. Retrieved April 22, 2026.", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:29:41.601Z", + "name": "Insecure Credentials", + "description": "Adversaries may target insecure credentials as a means to persist on a system or device or move laterally from one system or device to another. Insecure credentials may appear as default credentials which are pre-configured credentials on a system, device, or software that are well-known in documentation or hard-coded credentials which are built into the system, device, or software that cannot be changed or not easily changed because of the impact on control processes.(Citation: NIST SP 800-82r3)(Citation: ICS-ALERT-13-164-01)(Citation: OT IceFall)\n Adversaries often times use insecure credentials to evade detection as they are typically forgotten about by system and device owners.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, { "type": "attack-pattern", "id": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, + "revoked": true, "external_references": [ { "source_name": "mitre-attack", @@ -5311,7 +5458,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:13.771Z", + "modified": "2026-04-20T20:58:39.117Z", "name": "Block Reporting Message", "description": "Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.\n\nBlocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", "kill_chain_phases": [ @@ -5322,7 +5469,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -5338,7 +5484,7 @@ "id": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, + "revoked": true, "external_references": [ { "source_name": "mitre-attack", @@ -5364,7 +5510,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:13.939Z", + "modified": "2026-04-20T20:58:41.104Z", "name": "Unauthorized Command Message", "description": "Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nIn the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster. (Citation: Zack Whittaker April 2017) (Citation: Benjamin Freed March 2019)", "kill_chain_phases": [ @@ -5375,7 +5521,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -5386,6 +5531,59 @@ ], "x_mitre_version": "1.2" }, + { + "type": "attack-pattern", + "id": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", + "created": "2026-04-20T20:54:17.053Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1692/001", + "external_id": "T1692.001" + }, + { + "source_name": "Benjamin Freed March 2019", + "description": "Benjamin Freed 2019, March 13 Tornado sirens in Dallas suburbs deactivated after being hacked and set off Retrieved. 2020/11/06 ", + "url": "https://statescoop.com/tornado-sirens-in-dallas-suburbs-deactivated-after-being-hacked-and-set-off/" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + }, + { + "source_name": "Zack Whittaker April 2017", + "description": "Zack Whittaker 2017, April 12 Dallas' emergency sirens were hacked with a rogue radio signal Retrieved. 2020/11/06 ", + "url": "https://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T18:59:19.225Z", + "name": "Command Message", + "description": "Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105).(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nIn the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster.(Citation: Zack Whittaker April 2017)(Citation: Benjamin Freed March 2019)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "evasion" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, { "type": "attack-pattern", "id": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", @@ -5421,7 +5619,6 @@ "Matan Dobrushin - Otorio" ], "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -5474,7 +5671,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -5519,7 +5715,6 @@ "Joe Slowik - Dragos" ], "x_mitre_deprecated": true, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -5530,6 +5725,49 @@ ], "x_mitre_version": "1.0" }, + { + "type": "attack-pattern", + "id": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", + "created": "2026-04-20T20:54:17.539Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1692/002", + "external_id": "T1692.002" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:01:42.644Z", + "name": "Reporting Message", + "description": "Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values.\n\nIf an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "evasion" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, { "type": "attack-pattern", "id": "attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00", @@ -5556,7 +5794,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -5603,8 +5840,7 @@ "None" ], "x_mitre_version": "1.0", - "revoked": false, - "x_mitre_detection": "" + "revoked": false }, { "type": "attack-pattern", @@ -5643,7 +5879,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -5654,6 +5889,83 @@ ], "x_mitre_version": "1.1" }, + { + "type": "attack-pattern", + "id": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", + "created": "2026-04-20T20:54:22.399Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1695/001", + "external_id": "T1695.001" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:59:10.079Z", + "name": "Serial COM", + "description": "Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages.\n\nA serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available -- 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at 10.0.0.1 via Telnet on serial port 1 with the following command: telnet 10.0.0.1 20001.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "created": "2026-04-20T20:54:19.020Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1694/001", + "external_id": "T1694.001" + }, + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:30:36.158Z", + "name": "Default Credentials", + "description": "Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed.(Citation: Keith Stouffer May 2015)\n\nDefault credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, { "type": "attack-pattern", "id": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", @@ -5696,7 +6008,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -5707,6 +6018,40 @@ ], "x_mitre_version": "1.1" }, + { + "type": "attack-pattern", + "id": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "created": "2026-04-20T20:54:25.997Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0843/003", + "external_id": "T0843.003" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:18:49.737Z", + "name": "Program Append", + "description": "Adversaries may execute a program append to a PLC to update parts of an existing program. It may or may not require stopping the PLC which may allow it to continue running during transfer and reconfiguration without interruption to process control. Adversaries may leverage this approach to minimize downtime and evade detection. \n\nThe ability to perform a program append to the PLC typically relies on access to a workstation with the vendor-specific PLC programming software installed.\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, { "type": "attack-pattern", "id": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", @@ -5734,7 +6079,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -5745,6 +6089,45 @@ ], "x_mitre_version": "1.1" }, + { + "type": "attack-pattern", + "id": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "created": "2026-04-20T20:54:20.714Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0846/001", + "external_id": "T0846.001" + }, + { + "source_name": "NIST SP 800-82r3", + "description": "Keith Stouffer. (2023, September). Guide to Operational Technology (OT) Security. Retrieved April 22, 2026.", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:41:07.822Z", + "name": "Port Scan", + "description": "Adversaries may perform a port scan on a system, device, or network to identify live hosts, enumerate open ports and running services, identify operating systems, and map out the network.(Citation: NIST SP 800-82r3) The results of a port scan may inform adversary [Discovery](https://attack.mitre.org/tactics/TA0102), [Lateral Movement](https://attack.mitre.org/tactics/TA0109), and vulnerability exploitation decisions ([Exploitation for Evasion](https://attack.mitre.org/techniques/T0820), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T0890), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T0866)). \n\nSome common tools for executing a port scan include `nmap`, `netcat`, and the Advanced Port Scanner.\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, { "type": "attack-pattern", "id": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", @@ -5782,7 +6165,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -5819,7 +6201,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -5859,7 +6240,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -5870,6 +6250,45 @@ ], "x_mitre_version": "1.0" }, + { + "type": "attack-pattern", + "id": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "created": "2026-04-20T20:54:22.891Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1695/002", + "external_id": "T1695.002" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:57:13.444Z", + "name": "Ethernet", + "description": "Adversaries may block access to Ethernet communications to prevent instructions or configurations messages from reaching target systems and devices. Ethernet connections allow for communications between IT and OT systems and devices. Blocking Ethernet communications may also block command and reporting messages.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nAn adversary may block Ethernet communications by disabling network interfaces, [Service Stop](https://attack.mitre.org/techniques/T0881), or conducting an [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) attack and dropping the network traffic.\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, { "type": "attack-pattern", "id": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", @@ -5912,7 +6331,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -5960,7 +6378,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -5971,6 +6388,179 @@ ], "x_mitre_version": "1.1" }, + { + "type": "attack-pattern", + "id": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "created": "2026-04-20T20:54:21.726Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0846/003", + "external_id": "T0846.003" + }, + { + "source_name": "Cisco Active Discovery", + "description": "Cisco Systems, Inc.. (2024, March 5). Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0. Retrieved April 23, 2026.", + "url": "https://www.cisco.com/c/en/us/td/docs/security/cyber_vision/publications/Active-Discovery/Release-4-3-0/b_Cisco_Cyber_Vision_Active_Discovery_Configuration_Guide.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:45:38.166Z", + "name": "Multicast Discovery", + "description": "Adversaries may perform multicast discovery requests which is when one system or device sends messages to all systems and devices in a pre-defined group on a network (or subnet) and then waits for a response. If a response is received that means the system or device that responded is live and can communicate over that protocol. Multicast discovery tends to be stealthier than broadcast discovery because every system or device on the network (or subnet) is not being messaged. \n\nOne common OT protocol that has a multicast discovery mechanism is the Process Field Network (PROFINET) Discovery and Configuration Protocol (DCP) with its Identify All requests.(Citation: Cisco Active Discovery)\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "created": "2026-04-20T20:54:18.031Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1693/001", + "external_id": "T1693.001" + }, + { + "source_name": "Basnight, Zachry, et al.", + "description": "Basnight, Zachry, et al. 2013 Retrieved. 2017/10/17 ", + "url": "http://www.sciencedirect.com/science/article/pii/S1874548213000231" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:10:31.871Z", + "name": "System Firmware", + "description": "System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network.\n\nAn adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers.(Citation: Basnight, Zachry, et al.)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--6b335943-c3af-430e-a135-ab09623bdc20", + "created": "2026-04-20T20:54:19.528Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1694/002", + "external_id": "T1694.002" + }, + { + "source_name": "ICS-ALERT-13-164-01", + "description": "Cybersecurity and Infrastructure Security Agency (CISA). (2013, October 29). Medical Devices Hard-Coded Passwords. Retrieved April 23, 2026.", + "url": "https://www.cisa.gov/news-events/ics-alerts/ics-alert-13-164-01" + }, + { + "source_name": "OT IceFall", + "description": "Forescout Vedere Labs. (2022, June). OT: IceFall Report. Retrieved April 23, 2026.", + "url": "https://www.forescout.com/resources/ot-icefall-report/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:32:38.851Z", + "name": "Hardcoded Credentials", + "description": "Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset. Examples credentials that may be hardcoded in an asset include:\n\n* Username/Passwords\n* Cryptographic keys/Certificates\n* API tokens\n\nUnlike [Default Credentials](https://attack.mitre.org/techniques/T0812), these credentials are built into the system in a way that they either cannot be changed by the asset owner, or may be infeasible to change because of the impact it would cause to the control system operation. These credentials may be reused across whole product lines or device models and are often not published or known to the owner and operators of the asset.(Citation: ICS-ALERT-13-164-01)(Citation: OT IceFall)\n\nAdversaries may utilize these hardcoded credentials to move throughout the control system environment or provide reliable access for their tools to interact with industrial assets.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "created": "2026-04-20T20:54:23.383Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1695/003", + "external_id": "T1695.003" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:59:42.404Z", + "name": "Wi-Fi", + "description": "Adversaries may block access to Wi-Fi communications to prevent messages from reaching target systems and devices. Wi-Fi connections allow for communications between IT and OT systems and devices. Blocking Wi-Fi communications may also block command and reporting messages.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nAn adversary may block Wi-Fi communications by disabling network interfaces, [Service Stop](https://attack.mitre.org/techniques/T0881), conducting an [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) attack and dropping the network traffic, or by jamming the Wi-Fi signal.\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, { "type": "attack-pattern", "id": "attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a", @@ -6002,7 +6592,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -6014,6 +6603,87 @@ ], "x_mitre_version": "1.0" }, + { + "type": "attack-pattern", + "id": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", + "created": "2026-04-20T20:54:18.535Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1693/002", + "external_id": "T1693.002" + }, + { + "source_name": "Daniel Peck, Dale Peterson January 2009", + "description": "Daniel Peck, Dale Peterson 2009, January 28 Leveraging Ethernet Card Vulnerabilities in Field Devices Retrieved. 2017/12/19 ", + "url": "https://www.researchgate.net/publication/228849043_Leveraging_ethernet_card_vulnerabilities_in_field_devices" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:15:57.683Z", + "name": "Module Firmware", + "description": "Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment.\n\nThis technique is similar to System Firmware, but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices.(Citation: Daniel Peck, Dale Peterson January 2009)\n\nAn easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following:(Citation: Daniel Peck, Dale Peterson January 2009)\n\n* Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time.\n* Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return.\n* Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator.\n* A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise.\n* Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "created": "2026-04-20T20:54:23.982Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0843/001", + "external_id": "T0843.001" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:01:28.898Z", + "name": "Download All", + "description": "Adversaries may execute a full program download to a PLC to overwrite the entire PLC program and configuration to deploy a new project or make major changes. This typically requires stopping the PLC and adversely impacting control processes.\n\nThe ability to perform a full program download to the PLC typically relies on access to a workstation with the vendor-specific PLC programming software installed.\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, { "type": "attack-pattern", "id": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d", @@ -6041,7 +6711,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -6081,7 +6750,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -6092,6 +6760,97 @@ ], "x_mitre_version": "1.0" }, + { + "type": "attack-pattern", + "id": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", + "created": "2026-04-20T20:54:16.584Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1691/002", + "external_id": "T1691.002" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + }, + { + "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", + "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T18:52:34.062Z", + "name": "Reporting Message", + "description": "Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.\n\nBlocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)(Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "attack-pattern", + "id": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "created": "2026-04-20T20:50:34.850Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1693", + "external_id": "T1693" + }, + { + "source_name": "Basnight, Zachry, et al.", + "description": "Basnight, Zachry, et al. 2013 Retrieved. 2017/10/17 ", + "url": "http://www.sciencedirect.com/science/article/pii/S1874548213000231" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:06:21.253Z", + "name": "Modify Firmware", + "description": "Firmware is low-level software embedded in hardware that enables systems and devices to function properly and is commonly found in ICS environments. Adversaries may modify firmware on a system or device by installing malicious or vulnerable versions that enable them to achieve objectives such as [Persistence](https://attack.mitre.org/tactics/TA0110), [Impair Process Control](https://attack.mitre.org/tactics/TA0106), and [Inhibit Response Function](https://attack.mitre.org/tactics/TA0107). \n\nAdversaries may modify system and device firmware by using the built-in firmware update functionality which may support local or remote installation. The malicious or vulnerable firmware may be delivered via [Replication Through Removable Media](https://attack.mitre.org/techniques/T0847), [Supply Chain Compromise](https://attack.mitre.org/techniques/T0862), or [Remote Services](https://attack.mitre.org/techniques/T0886). Once installed, the malicious or vulnerable firmware could be used to provide [Rootkit](https://attack.mitre.org/techniques/T0851) and [Hooking](https://attack.mitre.org/techniques/T0874) functionality, [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T0890), or [Denial of Service](https://attack.mitre.org/techniques/T0814).(Citation: Basnight, Zachry, et al.)\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, { "type": "attack-pattern", "id": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", @@ -6139,7 +6898,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -6155,7 +6913,7 @@ "id": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, + "revoked": true, "external_references": [ { "source_name": "mitre-attack", @@ -6171,7 +6929,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:15.909Z", + "modified": "2026-04-20T20:58:43.011Z", "name": "Spoof Reporting Message", "description": "Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values. \n\nIf an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) ", "kill_chain_phases": [ @@ -6186,7 +6944,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -6238,7 +6995,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -6254,7 +7010,7 @@ "id": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, + "revoked": true, "external_references": [ { "source_name": "mitre-attack", @@ -6270,7 +7026,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:16.206Z", + "modified": "2026-04-20T20:58:48.356Z", "name": "Default Credentials", "description": "Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. (Citation: Keith Stouffer May 2015)\n\nDefault credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.", "kill_chain_phases": [ @@ -6281,7 +7037,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -6329,7 +7084,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -6367,7 +7121,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -6404,7 +7157,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -6456,7 +7208,6 @@ "Conrad Layne - GE Digital" ], "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -6494,7 +7245,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -6555,7 +7305,6 @@ "Dragos Threat Intelligence" ], "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -6596,7 +7345,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -6648,7 +7396,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -6685,7 +7432,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -6742,7 +7488,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -6782,7 +7527,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -6830,7 +7574,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -6873,7 +7616,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -6931,7 +7673,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -6953,15 +7694,15 @@ "url": "https://attack.mitre.org/techniques/T0882", "external_id": "T0882" }, - { - "source_name": "Mark Thompson March 2016", - "description": "Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 ", - "url": "https://time.com/4270728/iran-cyber-attack-dam-fbi/" - }, { "source_name": "Danny Yadron December 2015", "description": "Danny Yadron 2015, December 20 Iranian Hackers Infiltrated New York Dam in 2013 Retrieved. 2019/11/07 ", "url": "https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559" + }, + { + "source_name": "Mark Thompson March 2016", + "description": "Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 ", + "url": "https://time.com/4270728/iran-cyber-attack-dam-fbi/" } ], "object_marking_refs": [ @@ -6978,7 +7719,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -6987,14 +7727,15 @@ "x_mitre_platforms": [ "None" ], - "x_mitre_version": "1.0" + "x_mitre_version": "1.0", + "revoked": false }, { "type": "attack-pattern", "id": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, + "revoked": true, "external_references": [ { "source_name": "mitre-attack", @@ -7010,7 +7751,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:17.862Z", + "modified": "2026-04-20T20:58:44.575Z", "name": "System Firmware", "description": "System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network. \n\nAn adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers. (Citation: Basnight, Zachry, et al.)", "kill_chain_phases": [ @@ -7025,7 +7766,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -7063,7 +7803,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -7101,7 +7840,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -7189,7 +7927,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -7200,6 +7937,50 @@ ], "x_mitre_version": "1.0" }, + { + "type": "attack-pattern", + "id": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "created": "2026-04-20T20:54:21.227Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0846/002", + "external_id": "T0846.002" + }, + { + "source_name": "Cisco Active Discovery", + "description": "Cisco Systems, Inc.. (2024, March 5). Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0. Retrieved April 23, 2026.", + "url": "https://www.cisco.com/c/en/us/td/docs/security/cyber_vision/publications/Active-Discovery/Release-4-3-0/b_Cisco_Cyber_Vision_Active_Discovery_Configuration_Guide.pdf" + }, + { + "source_name": "Broadcasting BACnet", + "description": "H. Michael Newman. (2010, November). Broadcasting BACnet\u00ae. Retrieved April 23, 2026.", + "url": "https://bacnet.org/wp-content/uploads/sites/4/2022/06/Newman_2010.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:43:10.464Z", + "name": "Broadcast Discovery", + "description": "Adversaries may perform broadcast discovery requests to enumerate systems and devices on a network. Broadcast discovery works by one system or device sending messages to all systems and devices on a network (or subnet) and then waiting for a response. If a response is received that means the system or device that responded is live and can communicate over that protocol. Adversaries may leverage different protocols supported on the network for sending broadcast messages. \n\nSome common OT protocols that have broadcast discovery mechanisms are Building Automation and Control Network (BACNet) Who-Is requests, Common Industrial Protocol (CIP) List Identity User Datagram Protocol (UDP) broadcast requests, and Siemens S7 broadcast identification requests.(Citation: Broadcasting BACnet)(Citation: Cisco Active Discovery)\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "discovery" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, { "type": "attack-pattern", "id": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", @@ -7231,7 +8012,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -7240,14 +8020,15 @@ "x_mitre_platforms": [ "None" ], - "x_mitre_version": "1.0" + "x_mitre_version": "1.0", + "revoked": false }, { "type": "attack-pattern", "id": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", "created": "2022-09-29T13:35:38.589Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, + "revoked": true, "external_references": [ { "source_name": "mitre-attack", @@ -7258,7 +8039,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:18.583Z", + "modified": "2026-04-20T20:58:49.917Z", "name": "Hardcoded Credentials", "description": "Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset. Examples credentials that may be hardcoded in an asset include:\n\n* Username/Passwords\n* Cryptographic keys/Certificates\n* API tokens\n\nUnlike [Default Credentials](https://attack.mitre.org/techniques/T0812), these credentials are built into the system in a way that they either cannot be changed by the asset owner, or may be infeasible to change because of the impact it would cause to the control system operation. These credentials may be reused across whole product lines or device models and are often not published or known to the owner and operators of the asset. \n\nAdversaries may utilize these hardcoded credentials to move throughout the control system environment or provide reliable access for their tools to interact with industrial assets. \n", "kill_chain_phases": [ @@ -7276,7 +8057,6 @@ "Aagam Shah, @neutrinoguy, ABB" ], "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -7323,7 +8103,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -7366,7 +8145,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -7398,18 +8176,17 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:18.958Z", + "modified": "2026-04-23T19:39:03.420Z", "name": "Remote System Discovery", - "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used. (Citation: Enterprise ATT&CK January 2018)", + "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used.(Citation: Enterprise ATT&CK January 2018)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "discovery" } ], - "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_attack_spec_version": "3.3.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -7449,7 +8226,6 @@ "Joe Slowik - Dragos" ], "x_mitre_deprecated": true, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -7492,7 +8268,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -7503,6 +8278,40 @@ ], "x_mitre_version": "1.1" }, + { + "type": "attack-pattern", + "id": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "created": "2026-04-20T20:54:25.372Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T0843/002", + "external_id": "T0843.002" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:40:18.368Z", + "name": "Online Edit", + "description": "Adversaries may execute an online edit of a PLC to update parts of an existing program. It does not require stopping the PLC which allows it to continue running during transfer and reconfiguration without interruption to process control. Adversaries may leverage this approach to minimize downtime and evade detection. \n\nThe ability to perform an online edit to the PLC typically relies on access to a workstation with the vendor-specific PLC programming software installed.\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "lateral-movement" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, { "type": "attack-pattern", "id": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", @@ -7538,8 +8347,7 @@ "None" ], "x_mitre_version": "1.0", - "revoked": false, - "x_mitre_detection": "" + "revoked": false }, { "type": "attack-pattern", @@ -7581,7 +8389,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -7593,6 +8400,49 @@ ], "x_mitre_version": "1.0" }, + { + "type": "attack-pattern", + "id": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "created": "2026-04-20T20:50:34.487Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1692", + "external_id": "T1692" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T18:54:29.294Z", + "name": "Unauthorized Message", + "description": "Adversaries may send unauthorized messages to ICS systems and devices to evade defenses or manipulate processes. Unauthorized messages can be categorized as either reporting messages that contain telemetry data about the current state of systems, devices, and processes or as command messages which instruct systems and devices on how to operate. By injecting unauthorized messages, adversaries can make it appear as if everything is working correctly when it isn\u2019t, trigger alarms to misdirect personnel or impact processes, and manipulate controls to disrupt processes.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nAdversaries may send unauthorized messages in an ICS environment using software found within the environment (living-off-the-land, vendor-specific interfaces, etc.), custom tooling leveraging OT protocols and libraries, or by positioning themselves between systems and devices and injecting messages into the communications such as the case with an [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) attack.\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "evasion" + }, + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "impair-process-control" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, { "type": "attack-pattern", "id": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", @@ -7647,7 +8497,6 @@ "Daisuke Suzuki" ], "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -7684,7 +8533,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -7743,7 +8591,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -7786,7 +8633,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -7827,7 +8673,6 @@ "Matan Dobrushin - Otorio" ], "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -7869,18 +8714,17 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-15T19:59:17.481Z", + "modified": "2026-04-23T19:35:14.939Z", "name": "Project File Infection", - "description": "Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. (Citation: Beckhoff) Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further [Execution](https://attack.mitre.org/tactics/TA0104) and [Persistence](https://attack.mitre.org/tactics/TA0110) techniques. (Citation: PLCdev) \n\nAdversaries may export their own code into project files with conditions to execute at specific intervals. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing. (Citation: PLCdev)", + "description": "Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function.(Citation: Beckhoff) Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further [Execution](https://attack.mitre.org/tactics/TA0104) and [Persistence](https://attack.mitre.org/tactics/TA0110) techniques.(Citation: PLCdev) \n\nAdversaries may export their own code into project files with conditions to execute at specific intervals.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing.(Citation: PLCdev)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "persistence" } ], - "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_attack_spec_version": "3.3.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -7889,7 +8733,7 @@ "x_mitre_platforms": [ "None" ], - "x_mitre_version": "1.0" + "x_mitre_version": "1.1" }, { "type": "attack-pattern", @@ -7928,7 +8772,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -7971,7 +8814,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -7987,7 +8829,7 @@ "id": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, + "revoked": true, "external_references": [ { "source_name": "mitre-attack", @@ -8003,7 +8845,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:20.310Z", + "modified": "2026-04-20T20:58:46.789Z", "name": "Module Firmware", "description": "Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment. \n\nThis technique is similar to [System Firmware](https://attack.mitre.org/techniques/T0857), but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices. (Citation: Daniel Peck, Dale Peterson January 2009) \n\nAn easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following: (Citation: Daniel Peck, Dale Peterson January 2009) \n\n* Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time. \n* Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return. \n* Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator. \n* A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise. \n* Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.", "kill_chain_phases": [ @@ -8018,7 +8860,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -8076,7 +8917,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -8114,7 +8954,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -8160,7 +8999,6 @@ "Felix Eberstaller" ], "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -8171,6 +9009,45 @@ ], "x_mitre_version": "1.0" }, + { + "type": "attack-pattern", + "id": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "created": "2026-04-20T20:50:35.776Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/techniques/T1695", + "external_id": "T1695" + }, + { + "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011", + "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ", + "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:52:53.490Z", + "name": "Block Communications", + "description": "Operational technology communications occur over serial COM, Ethernet, Wi-Fi, cellular (4G/5G), and satellite mediums. Adversaries may block communications to prevent reporting messages and command messages from reaching their intended target devices disrupting processes, operations, and causing cyber-physical impacts.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) \n\nAdversaries may block communications by either making modifications to software ([System Firmware](https://attack.mitre.org/techniques/T0857), [Module Firmware](https://attack.mitre.org/techniques/T0839), [Hooking](https://attack.mitre.org/techniques/T0874), and [Rootkit](https://attack.mitre.org/techniques/T0851)) and services ([Service Stop](https://attack.mitre.org/techniques/T0881), [Denial of Service](https://attack.mitre.org/techniques/T0814)) on systems and devices or by positioning themselves between systems and devices and intercepting and blocking the communications such as the case with an [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) attack.\n", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-ics-attack", + "phase_name": "inhibit-response-function" + } + ], + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, { "type": "attack-pattern", "id": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", @@ -8203,7 +9080,6 @@ ], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, - "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], @@ -8407,6 +9283,105 @@ ], "x_mitre_deprecated": false }, + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--0b4e7cfa-9f9d-49b0-b5bf-afdf62058c5a", + "created": "2026-04-22T22:55:44.526Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0912#AN2055", + "external_id": "AN2055" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:33:52.139Z", + "name": "Analytic 2055", + "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist, alarms may still be visible even if Wi-Fi messages are blocked.\n\nMonitor for a loss of network communications, which may indicate this technique is being used.\n\nMonitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.\n\nMonitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.\n\nMonitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.\n", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "name": "Operational Databases", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "name": "Network Traffic", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "name": "Databases", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "name": "Application Log", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "name": "Process", + "channel": "None" + } + ] + }, + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--1017530e-423d-4857-80b6-99891bf82d28", + "created": "2026-04-22T16:28:31.400Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0905#AN2048", + "external_id": "AN2048" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:33:52.442Z", + "name": "Analytic 2048", + "description": "Monitor network traffic for insecure credential use in protocols that allow unencrypted authentication.\n\nMonitor logon sessions for insecure credential use, when feasible.\n", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "name": "Network Traffic", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", + "name": "Logon Session", + "channel": "None" + } + ] + }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--11a350cf-1ea0-4065-877b-c3bb410bf3a0", @@ -8640,6 +9615,58 @@ ], "x_mitre_deprecated": false }, + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--22b202f2-d4dd-44dd-b5e1-791ff2aef8ed", + "created": "2026-04-23T00:42:36.732Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0915#AN2058", + "external_id": "AN2058" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:33:53.216Z", + "name": "Analytic 2058", + "description": "Monitor device alarms for program downloads, although not all devices produce such alarms.\n\nMonitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols.\n\nConsult asset management systems to understand expected program versions.\n\nMonitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.\n", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "name": "Operational Databases", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "name": "Traffic", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", + "name": "Asset", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "name": "Application Log", + "channel": "None" + } + ] + }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--2388dc31-ba9a-4c12-b4b9-28bbc981c73e", @@ -8997,7 +10024,7 @@ ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1879", - "description": "Various techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity which may precede this technique.\nMonitor asset logs for alarms or other information the adversary is unable to directly suppress. Relevant alarms include those from a loss of communications due to [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.\nVarious techniques enable spoofing a reporting message. Monitor for LLMNR/NBT-NS poisoning via new services/daemons which may be used to enable this technique. For added context on adversary procedures and background see [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001).\nSpoofed reporting messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Spoofed messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for many benign reasons. Monitor reporting messages for changes in how they are constructed.\n\nVarious techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.", + "description": "Various techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity which may precede this technique.\nMonitor asset logs for alarms or other information the adversary is unable to directly suppress. Relevant alarms include those from a loss of communications due to [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.\nVarious techniques enable spoofing a reporting message. Monitor for LLMNR/NBT-NS poisoning via new services/daemons which may be used to enable this technique. For added context on adversary procedures and background see [Name Resolution Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001).\nSpoofed reporting messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Spoofed messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for many benign reasons. Monitor reporting messages for changes in how they are constructed.\n\nVarious techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", @@ -9381,6 +10408,58 @@ ], "x_mitre_deprecated": false }, + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--3c6aa6f7-29e9-41d9-8500-30b6d0533d64", + "created": "2026-04-23T00:31:46.350Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0914#AN2057", + "external_id": "AN2057" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:33:55.025Z", + "name": "Analytic 2057", + "description": "Monitor device alarms for program downloads, although not all devices produce such alarms.\n\nMonitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols.\n\nConsult asset management systems to understand expected program versions.\n\nMonitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.\n", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "name": "Operational Databases", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "name": "Traffic", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", + "name": "Asset", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "name": "Application Log", + "channel": "None" + } + ] + }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--3e456d4d-397d-4e04-9261-9399960c9633", @@ -9422,11 +10501,69 @@ ], "x_mitre_deprecated": false }, + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--3f052beb-d384-4ebe-b942-2c4ddeb95833", + "created": "2026-04-22T21:47:06.445Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0910#AN2053", + "external_id": "AN2053" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:33:55.408Z", + "name": "Analytic 2053", + "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist, alarms may still be visible even if messages are blocked.\n\nMonitor for a loss of network communications, which may indicate this technique is being used.\n\nMonitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique\u2019s execution but instead may provide additional evidence that the technique has been used and may complement other detections.\n\nMonitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.\n\nMonitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.\n", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "name": "Operational Databases", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "name": "Network Traffic", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "name": "Databases", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "name": "Application Log", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "name": "Process", + "channel": "None" + } + ] + }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--3f10ffe9-fa73-4aeb-bf98-322831bf757f", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -9457,11 +10594,12 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T15:10:28.402Z", + "modified": "2026-04-24T20:33:55.812Z", "name": "Analytic 1864", - "description": "Monitor for firmware changes which may be observable via operational alarms from devices.\nMonitor device application logs for firmware changes, although not all devices will produce such logs.\nMonitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)\nMonitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.", + "description": "Monitor for firmware changes which may be observable via operational alarms from devices.\nMonitor device application logs for firmware changes, although not all devices will produce such logs.\nMonitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog)(Citation: Github CHIPSEC)(Citation: Intel HackingTeam UEFI Rootkit)\nMonitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "ics-attack" @@ -9490,8 +10628,7 @@ "name": "Network Traffic", "channel": "None" } - ], - "x_mitre_deprecated": false + ] }, { "type": "x-mitre-analytic", @@ -9585,6 +10722,58 @@ ], "x_mitre_deprecated": false }, + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--51a094bf-b7eb-452a-9b7a-ffac16fce1ac", + "created": "2026-04-22T18:49:31.209Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0907#AN2050", + "external_id": "AN2050" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:33:56.263Z", + "name": "Analytic 2050", + "description": "Monitor for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.\n\nMonitor for hosts enumerating network connected resources using non-ICS enterprise protocols. \n", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "name": "Network Traffic", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "name": "Traffic", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "name": "Process", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", + "name": "Network", + "channel": "None" + } + ] + }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--55544bb8-440f-4b67-aa35-7e7af5952aca", @@ -9722,6 +10911,48 @@ ], "x_mitre_deprecated": false }, + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--613b28ef-88dd-4008-8d7e-206ce55a7cde", + "created": "2026-04-22T14:53:50.597Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0902#AN2045", + "external_id": "AN2045" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:33:56.808Z", + "name": "Analytic 2045", + "description": "Unauthorized messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Unauthorized messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for benign reasons. Monitor messages for changes in how they are constructed.\n\nMonitor for anomalous or unexpected messages that may result in changes to the process operation observable via asset application logs (e.g., discrete write, logic and device configuration, mode changes, safety triggers).\n\nConsider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity which may precede this technique.\n", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "name": "Network Traffic", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "name": "Traffic", + "channel": "None" + } + ] + }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--636e612f-0b63-44e8-bf2c-31b62d20508b", @@ -9802,6 +11033,48 @@ ], "x_mitre_deprecated": false }, + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--67861309-0ba7-4713-843e-3def87e396ec", + "created": "2026-04-22T20:45:49.233Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0909#AN2052", + "external_id": "AN2052" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:33:57.256Z", + "name": "Analytic 2052", + "description": "Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations.\n\nMonitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM). For added context on adversary enterprise procedures and background see [Remote System Discovery](https://attack.mitre.org/techniques/T1018).\n", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "name": "Traffic", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "name": "Network Traffic", + "channel": "None" + } + ] + }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--68073351-4e4f-40e4-9394-a9166bb346d7", @@ -9831,6 +11104,43 @@ ], "x_mitre_deprecated": false }, + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--6a510bf0-0289-4eb0-8645-89f0f4d32cf3", + "created": "2026-04-22T17:53:18.908Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0906#AN2049", + "external_id": "AN2049" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:33:57.629Z", + "name": "Analytic 2049", + "description": "Monitor for unexpected changes to project files, although if the malicious modification occurs in tandem with legitimate changes it will be difficult to isolate the unintended changes by analyzing only file systems modifications.", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", + "name": "File", + "channel": "None" + } + ] + }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--6b3b3e92-bef7-4977-9895-29036bab29f1", @@ -10343,6 +11653,7 @@ "id": "x-mitre-analytic--880a1133-6639-42f0-96a8-3e914426d38b", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -10373,11 +11684,12 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T15:10:28.402Z", + "modified": "2026-04-24T20:33:58.916Z", "name": "Analytic 1922", - "description": "Monitor for firmware changes which may be observable via operational alarms from devices.\nMonitor device application logs for firmware changes, although not all devices will produce such logs.\nMonitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.\nMonitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)", + "description": "Monitor for firmware changes which may be observable via operational alarms from devices.\nMonitor device application logs for firmware changes, although not all devices will produce such logs.\nMonitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.\nMonitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog)(Citation: Github CHIPSEC)(Citation: Intel HackingTeam UEFI Rootkit)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "ics-attack" @@ -10406,8 +11718,7 @@ "name": "Firmware", "channel": "None" } - ], - "x_mitre_deprecated": false + ] }, { "type": "x-mitre-analytic", @@ -11193,6 +12504,63 @@ ], "x_mitre_deprecated": false }, + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--c556c91d-64a0-401c-9c41-18971eeca0f2", + "created": "2026-04-22T15:07:57.495Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0903#AN2046", + "external_id": "AN2046" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:34:00.942Z", + "name": "Analytic 2046", + "description": "Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.\n\nMonitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.\n\nMonitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.\n\nMonitor for a loss of network communications, which may indicate this technique is being used.\n\nMonitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if messages are blocked.\n\n", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "name": "Process", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "name": "Operational Databases", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "name": "Application Log", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "name": "Network Traffic", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "name": "Databases", + "channel": "None" + } + ] + }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--cbf791b4-5186-4205-ac5a-a56042aaebec", @@ -11612,6 +12980,63 @@ ], "x_mitre_deprecated": false }, + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--df7f8849-56a7-4e83-9fd7-a4f25227d960", + "created": "2026-04-22T22:41:28.415Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0911#AN2054", + "external_id": "AN2054" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:34:02.593Z", + "name": "Analytic 2054", + "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist, alarms may still be visible even if Ethernet messages are blocked.\n\nMonitor for a loss of network communications, which may indicate this technique is being used.\n\nMonitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique\u2019s execution but instead may provide additional evidence that the technique has been used and may complement other detections.\n\nMonitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.\n\nMonitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.\n", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "name": "Operational Databases", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "name": "Network Traffic", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "name": "Databases", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "name": "Application Log", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "name": "Process", + "channel": "None" + } + ] + }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--e25ef816-bbfd-4656-8ecb-c7eebcba31d4", @@ -11663,6 +13088,58 @@ ], "x_mitre_deprecated": false }, + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--e379be82-39d7-4ae4-8557-f846ba19cd4b", + "created": "2026-04-23T00:08:52.524Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0913#AN2056", + "external_id": "AN2056" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:34:02.964Z", + "name": "Analytic 2056", + "description": "Monitor device alarms for program downloads, although not all devices produce such alarms.\n\nMonitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols.\n\nConsult asset management systems to understand expected program versions.\n\nMonitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.\n", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "name": "Operational Databases", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "name": "Traffic", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", + "name": "Asset", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "name": "Application Log", + "channel": "None" + } + ] + }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--e8f51c53-fc55-441b-a45f-ba7709ccbce2", @@ -11924,6 +13401,48 @@ ], "x_mitre_deprecated": false }, + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--f6324642-d17d-49d4-90b2-bab9d229d6fa", + "created": "2026-04-22T20:31:39.088Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0908#AN2051", + "external_id": "AN2051" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:34:03.863Z", + "name": "Analytic 2051", + "description": "Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations.\nMonitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM). For added context on adversary enterprise procedures and background see [Remote System Discovery](https://attack.mitre.org/techniques/T1018).\n", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "name": "Traffic", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "name": "Network Traffic", + "channel": "None" + } + ] + }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--f666f516-f8d0-41f6-9a4c-0ac6c1f6086b", @@ -12011,6 +13530,78 @@ ], "x_mitre_deprecated": false }, + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--fc6641ac-5748-4498-89e9-d4ada2b6f88a", + "created": "2026-04-22T15:53:18.404Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0904#AN2047", + "external_id": "AN2047" + }, + { + "source_name": "McAfee CHIPSEC Blog", + "description": "Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017.", + "url": "https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/" + }, + { + "source_name": "MITRE Copernicus", + "description": "Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015.", + "url": "http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about" + }, + { + "source_name": "Intel HackingTeam UEFI Rootkit", + "description": "Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved November 17, 2024.", + "url": "https://web.archive.org/web/20170313124421/http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html" + }, + { + "source_name": "Github CHIPSEC", + "description": "Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017.", + "url": "https://github.com/chipsec/chipsec" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:34:04.333Z", + "name": "Analytic 2047", + "description": "Monitor for firmware changes which may be observable via operational alarms from devices.\n\nMonitor device application logs for firmware changes, although not all devices will produce such logs.\n\nMonitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.\n\nMonitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog)(Citation: Github CHIPSEC)(Citation: Intel HackingTeam UEFI Rootkit)\n", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "name": "Operational Databases", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "name": "Application Log", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", + "name": "Firmware", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "name": "Network Traffic", + "channel": "None" + } + ] + }, { "type": "x-mitre-analytic", "id": "x-mitre-analytic--fcfe9c48-3a5a-49c8-96c3-be79414a8419", @@ -12112,7 +13703,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-23T18:37:33.992Z", "name": "Network Connection Creation", "description": "The initial establishment of a network session, where a system or process initiates a connection to a local or remote endpoint. This typically involves capturing socket information (source/destination IP, ports, protocol) and tracking session metadata. Monitoring these events helps detect lateral movement, exfiltration, and command-and-control (C2) activities.\n\n*Data Collection Measures:*\n\n- Windows:\n - Event ID 5156 \u2013 Filtering Platform Connection - Logs network connections permitted by Windows Filtering Platform (WFP).\n - Sysmon Event ID 3 \u2013 Network Connection Initiated - Captures process, source/destination IP, ports, and parent process.\n- Linux/macOS:\n - Netfilter (iptables), nftables logs - Tracks incoming and outgoing network connections.\n - AuditD (`connect` syscall) - Logs TCP, UDP, and ICMP connections.\n - Zeek (`conn.log`) - Captures protocol, duration, and bytes transferred.\n- Cloud & Network Infrastructure:\n - AWS VPC Flow Logs / Azure NSG Flow Logs - Logs IP traffic at the network level in cloud environments.\n - Zeek (conn.log) or Suricata (network events) - Captures packet metadata for detection and correlation.\n- Endpoint Detection & Response (EDR):\n - Detect anomalous network activity such as new C2 connections or data exfiltration attempts.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -12122,88 +13713,268 @@ "mobile-attack", "enterprise-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { - "name": "Network Traffic", - "channel": "None" - }, - { - "name": "AWS:VPCFlowLogs", - "channel": "Outbound connection to 169.254.169.254 from EC2 workload" - }, - { - "name": "macos:unifiedlog", - "channel": "connection attempts" - }, - { - "name": "esxi:hostd", - "channel": "System service interactions" - }, - { - "name": "WinEventLog:Sysmon", - "channel": "EventCode=3, 22" - }, - { - "name": "NSM:Connections", - "channel": "web domain alerts" + "name": "NSM:Flow", + "channel": "log entries indicating network connection initiation on macOS" }, { "name": "auditd:SYSCALL", "channel": "connect" }, - { - "name": "macos:osquery", - "channel": "process_events/socket_events" - }, - { - "name": "NSM:Firewall", - "channel": "Outbound Connections" - }, - { - "name": "macos:unifiedlog", - "channel": "connection open" - }, { "name": "auditd:SYSCALL", "channel": "execve: Execs of chromium, google-chrome, firefox, libreoffice with http(s) in cmdline" }, { - "name": "NSM:Flow", - "channel": "New TCP/443 or TCP/80 to domain not previously seen for the user/host" + "name": "auditd:SYSCALL", + "channel": "connect/sendto" }, { - "name": "NSM:Connections", - "channel": "New outbound connection from Safari/Chrome/Firefox/Word" + "name": "auditd:SYSCALL", + "channel": "open or connect syscalls on /tmp/ssh-* or $SSH_AUTH_SOCK" }, { - "name": "NSM:Flow", - "channel": "conn.log" + "name": "auditd:SYSCALL", + "channel": "socket/connect with TLS context by unexpected process" }, { - "name": "macos:osquery", - "channel": "execution of trusted tools interacting with external endpoints" + "name": "auditd:SYSCALL", + "channel": "socket/bind: New bind() to a previously closed port shortly after the sequence." + }, + { + "name": "auditd:SYSCALL", + "channel": "sendto/connect" + }, + { + "name": "auditd:SYSCALL", + "channel": "outbound connections" + }, + { + "name": "auditd:SYSCALL", + "channel": "socket/bind: Process binds to a new local port shortly after knock" + }, + { + "name": "auditd:SYSCALL", + "channel": "socket/connect calls showing SSH processes forwarding arbitrary ports" + }, + { + "name": "auditd:SYSCALL", + "channel": "openat,connect -k discovery" + }, + { + "name": "AWS:VPCFlowLogs", + "channel": "Outbound connection to 169.254.169.254 from EC2 workload" + }, + { + "name": "AWS:VPCFlowLogs", + "channel": "Large transfer volume (>20MB) from RDS IP range to external public IPs" + }, + { + "name": "AWS:VPCFlowLogs", + "channel": "High outbound traffic from new region resource" + }, + { + "name": "AWS:VPCFlowLogs", + "channel": "Outbound connections to port 22, 3389" + }, + { + "name": "AWS:VPCFlowLogs", + "channel": "Traffic observed on mirror destination instance" + }, + { + "name": "cni:netflow", + "channel": "outbound connection to internal or external APIs" + }, + { + "name": "ebpf:syscalls", + "channel": "socket connect" + }, + { + "name": "esxi:esxupdate", + "channel": "/var/log/esxupdate.log or /var/log/vmksummary.log" + }, + { + "name": "esxi:hostd", + "channel": "System service interactions" + }, + { + "name": "esxi:hostd", + "channel": "Service initiated connections" + }, + { + "name": "esxi:hostd", + "channel": "Service-Based Network Connection" + }, + { + "name": "esxi:vmkernel", + "channel": "protocol egress" + }, + { + "name": "esxi:vmkernel", + "channel": "network activity" + }, + { + "name": "esxi:vmkernel", + "channel": "None" + }, + { + "name": "esxi:vmkernel", + "channel": "network session initiation with external HTTPS services" + }, + { + "name": "linux:osquery", + "channel": "family=AF_PACKET or protocol raw; process name not in allowlist." + }, + { + "name": "linux:syslog", + "channel": "network" + }, + { + "name": "linux:syslog", + "channel": "postfix/smtpd" + }, + { + "name": "linux:syslog", + "channel": "New Wi-Fi connection established or repeated association failures" + }, + { + "name": "linux:syslog", + "channel": "None" }, { "name": "linux:Sysmon", "channel": "EventCode=3, 22" }, { - "name": "WinEventLog:Microsoft-Windows-Bits-Client/Operational", - "channel": "BITS job lifecycle events such as job create/modify/transfer/complete and URL/remote name fields" + "name": "macos:endpointsecurity", + "channel": "ES_EVENT_TYPE_NOTIFY_CONNECT" }, { - "name": "NSM:Firewall", - "channel": "proxy or TLS inspection logs" + "name": "macos:osquery", + "channel": "process_events/socket_events" + }, + { + "name": "macos:osquery", + "channel": "execution of trusted tools interacting with external endpoints" + }, + { + "name": "macos:osquery", + "channel": "launchd or network_events" + }, + { + "name": "macos:osquery", + "channel": "process_events + launchd" + }, + { + "name": "macos:osquery", + "channel": "process_events, socket_events" + }, + { + "name": "macos:osquery", + "channel": "CONNECT: Long-lived connections from remote-control parents to external IPs/domains" + }, + { + "name": "macos:osquery", + "channel": "None" + }, + { + "name": "macos:unifiedlog", + "channel": "connection attempts" + }, + { + "name": "macos:unifiedlog", + "channel": "connection open" }, { "name": "macos:unifiedlog", "channel": "network connection events" }, { - "name": "esxi:vmkernel", - "channel": "protocol egress" + "name": "macos:unifiedlog", + "channel": "First outbound connection from the same PID/user shortly after an inbound trigger." + }, + { + "name": "macos:unifiedlog", + "channel": "network sessions initiated by remote desktop apps" + }, + { + "name": "macos:unifiedlog", + "channel": "Inbound connections to VNC/SSH ports" + }, + { + "name": "macos:unifiedlog", + "channel": "network" + }, + { + "name": "macos:unifiedlog", + "channel": "Outbound Traffic" + }, + { + "name": "macos:unifiedlog", + "channel": "None" + }, + { + "name": "macos:unifiedlog", + "channel": "networkd or socket" + }, + { + "name": "macos:unifiedlog", + "channel": "log stream network activity" + }, + { + "name": "macos:unifiedlog", + "channel": "Association and authentication events including failures and new SSIDs" + }, + { + "name": "Network", + "channel": "None" + }, + { + "name": "Network Traffic", + "channel": "None" + }, + { + "name": "networkdevice:Flow", + "channel": "Traffic from mirrored interface to mirror target IP" + }, + { + "name": "networkdevice:syslog", + "channel": "Dynamic route changes" + }, + { + "name": "NSM:Connections", + "channel": "web domain alerts" + }, + { + "name": "NSM:Connections", + "channel": "New outbound connection from Safari/Chrome/Firefox/Word" + }, + { + "name": "NSM:Connections", + "channel": "Outbound connections from newly spawned child processes or from the browser to uncommon endpoints or on anomalous ports" + }, + { + "name": "NSM:Connections", + "channel": "Outbound connection after script or installer launch" + }, + { + "name": "NSM:Firewall", + "channel": "Outbound Connections" + }, + { + "name": "NSM:Firewall", + "channel": "proxy or TLS inspection logs" + }, + { + "name": "NSM:Flow", + "channel": "New TCP/443 or TCP/80 to domain not previously seen for the user/host" + }, + { + "name": "NSM:Flow", + "channel": "conn.log" }, { "name": "NSM:Flow", @@ -12217,26 +13988,10 @@ "name": "NSM:Flow", "channel": "HTTPs connection to tunnels.api.visualstudio.com" }, - { - "name": "WinEventLog:Security", - "channel": "EventCode=5156, 5157" - }, - { - "name": "linux:osquery", - "channel": "family=AF_PACKET or protocol raw; process name not in allowlist." - }, - { - "name": "macos:unifiedlog", - "channel": "First outbound connection from the same PID/user shortly after an inbound trigger." - }, { "name": "NSM:Flow", "channel": "Outbound or inbound TFTP file transfers of ROMMON or firmware binaries" }, - { - "name": "NSM:Connections", - "channel": "Outbound connections from newly spawned child processes or from the browser to uncommon endpoints or on anomalous ports" - }, { "name": "NSM:Flow", "channel": "connection: TCP connections to ports 139/445 to multiple hosts" @@ -12245,62 +14000,18 @@ "name": "NSM:Flow", "channel": "connection: SMB connections to multiple internal hosts" }, - { - "name": "auditd:SYSCALL", - "channel": "connect/sendto" - }, - { - "name": "macos:endpointsecurity", - "channel": "ES_EVENT_TYPE_NOTIFY_CONNECT" - }, - { - "name": "snmp:access", - "channel": "GETBULK/GETNEXT requests for OIDs associated with configuration parameters" - }, - { - "name": "esxi:hostd", - "channel": "Service initiated connections" - }, - { - "name": "AWS:VPCFlowLogs", - "channel": "Large transfer volume (>20MB) from RDS IP range to external public IPs" - }, - { - "name": "AWS:VPCFlowLogs", - "channel": "High outbound traffic from new region resource" - }, { "name": "NSM:Flow", "channel": "Outbound HTTP/S initiated by newly installed interpreter process" }, - { - "name": "auditd:SYSCALL", - "channel": "open or connect syscalls on /tmp/ssh-* or $SSH_AUTH_SOCK" - }, { "name": "NSM:Flow", "channel": "outbound connections to RMM services or to unusual destination ports" }, - { - "name": "macos:unifiedlog", - "channel": "network sessions initiated by remote desktop apps" - }, - { - "name": "AWS:VPCFlowLogs", - "channel": "Outbound connections to port 22, 3389" - }, - { - "name": "auditd:SYSCALL", - "channel": "socket/connect with TLS context by unexpected process" - }, { "name": "NSM:Flow", "channel": "Multiple failed connections (conn_state=REJ/S0 or history has 'R') across distinct ports from the same src_ip followed by success to a specific port." }, - { - "name": "auditd:SYSCALL", - "channel": "socket/bind: New bind() to a previously closed port shortly after the sequence." - }, { "name": "NSM:Flow", "channel": "Sequence of REJ/S0 then SF success from same src_ip within TimeWindow." @@ -12313,18 +14024,6 @@ "name": "NSM:Flow", "channel": "Outbound traffic spike through formerly blocked ports/subnets following config change" }, - { - "name": "cni:netflow", - "channel": "outbound connection to internal or external APIs" - }, - { - "name": "macos:osquery", - "channel": "launchd or network_events" - }, - { - "name": "networkdevice:syslog", - "channel": "Dynamic route changes" - }, { "name": "NSM:Flow", "channel": "New egress to Internet by the same UID/host shortly after terminal exec" @@ -12333,30 +14032,10 @@ "name": "NSM:Flow", "channel": "connection: Inbound connections to SSH or VPN ports" }, - { - "name": "macos:unifiedlog", - "channel": "Inbound connections to VNC/SSH ports" - }, { "name": "NSM:Flow", "channel": "External access to container ports (2375, 6443)" }, - { - "name": "linux:syslog", - "channel": "network" - }, - { - "name": "macos:osquery", - "channel": "process_events + launchd" - }, - { - "name": "esxi:esxupdate", - "channel": "/var/log/esxupdate.log or /var/log/vmksummary.log" - }, - { - "name": "ebpf:syscalls", - "channel": "socket connect" - }, { "name": "NSM:Flow", "channel": "remote access" @@ -12365,26 +14044,6 @@ "name": "NSM:Flow", "channel": "Outbound Connections" }, - { - "name": "macos:unifiedlog", - "channel": "network" - }, - { - "name": "AWS:VPCFlowLogs", - "channel": "Traffic observed on mirror destination instance" - }, - { - "name": "networkdevice:Flow", - "channel": "Traffic from mirrored interface to mirror target IP" - }, - { - "name": "macos:osquery", - "channel": "process_events, socket_events" - }, - { - "name": "esxi:vmkernel", - "channel": "network activity" - }, { "name": "NSM:Flow", "channel": "connection attempts" @@ -12393,26 +14052,10 @@ "name": "NSM:Flow", "channel": "High-volume or repeated SNMP GETBULK/GETNEXT queries from untrusted or external IPs" }, - { - "name": "auditd:SYSCALL", - "channel": "sendto/connect" - }, { "name": "NSM:Flow", "channel": "outbound connections from host during or immediately after image build" }, - { - "name": "macos:unifiedlog", - "channel": "Outbound Traffic" - }, - { - "name": "esxi:hostd", - "channel": "Service-Based Network Connection" - }, - { - "name": "linux:syslog", - "channel": "postfix/smtpd" - }, { "name": "NSM:Flow", "channel": "new outbound connection from browser/office lineage" @@ -12421,38 +14064,10 @@ "name": "NSM:Flow", "channel": "new outbound connection from exploited lineage" }, - { - "name": "macos:osquery", - "channel": "CONNECT: Long-lived connections from remote-control parents to external IPs/domains" - }, - { - "name": "auditd:SYSCALL", - "channel": "outbound connections" - }, - { - "name": "macos:unifiedlog", - "channel": "None" - }, - { - "name": "esxi:vmkernel", - "channel": "None" - }, - { - "name": "macos:unifiedlog", - "channel": "networkd or socket" - }, - { - "name": "macos:unifiedlog", - "channel": "log stream network activity" - }, { "name": "NSM:Flow", "channel": "Multiple failed connections to closed ports (history contains 'R' or conn_state in {REJ, S0}) followed by a successful handshake to a new port from same src within TimeWindowKnock" }, - { - "name": "auditd:SYSCALL", - "channel": "socket/bind: Process binds to a new local port shortly after knock" - }, { "name": "NSM:Flow", "channel": "Closed-port hits followed by success from same src_ip" @@ -12461,42 +14076,6 @@ "name": "NSM:Flow", "channel": "Port-knock pattern from one src to device unicast,broadcast,network addresses on same port within TimeWindowKnock" }, - { - "name": "WinEventLog:Microsoft-Windows-WLAN-AutoConfig", - "channel": "EventCode=8001, 8002, 8003" - }, - { - "name": "linux:syslog", - "channel": "New Wi-Fi connection established or repeated association failures" - }, - { - "name": "macos:unifiedlog", - "channel": "Association and authentication events including failures and new SSIDs" - }, - { - "name": "auditd:SYSCALL", - "channel": "socket/connect calls showing SSH processes forwarding arbitrary ports" - }, - { - "name": "esxi:vmkernel", - "channel": "network session initiation with external HTTPS services" - }, - { - "name": "WinEventLog:System", - "channel": "EventCode=8001" - }, - { - "name": "linux:syslog", - "channel": "None" - }, - { - "name": "macos:osquery", - "channel": "None" - }, - { - "name": "auditd:SYSCALL", - "channel": "openat,connect -k discovery" - }, { "name": "NSM:Flow", "channel": "Unexpected inbound/outbound TFTP traffic for device image files" @@ -12504,6 +14083,30 @@ { "name": "NSM:Flow", "channel": "Unexpected or unauthorized inbound connections to SNMP, NETCONF, or RESTCONF services" + }, + { + "name": "snmp:access", + "channel": "GETBULK/GETNEXT requests for OIDs associated with configuration parameters" + }, + { + "name": "WinEventLog:Microsoft-Windows-Bits-Client/Operational", + "channel": "BITS job lifecycle events such as job create/modify/transfer/complete and URL/remote name fields" + }, + { + "name": "WinEventLog:Microsoft-Windows-WLAN-AutoConfig", + "channel": "EventCode=8001, 8002, 8003" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=5156, 5157" + }, + { + "name": "WinEventLog:Sysmon", + "channel": "EventCode=3, 22" + }, + { + "name": "WinEventLog:System", + "channel": "EventCode=8001" } ] }, @@ -12523,190 +14126,103 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-23T18:39:07.536Z", "name": "File Access", "description": "To events where a file is opened or accessed, making its contents available to the requester. This includes reading, executing, or interacting with files by authorized or unauthorized entities. Examples include logging file access events (e.g., Windows Event ID 4663), monitoring file reads, and detecting unusual file access patterns. Examples: \n\n- File Read Operations: A user opens a sensitive document (e.g., financial_report.xlsx) on a shared drive.\n- File Execution: A script or executable file is accessed and executed (e.g., malware.exe is run from a temporary directory).\n- Unauthorized File Access: An unauthorized user attempts to access a protected configuration file (e.g., `/etc/passwd` on Linux or `System32` files on Windows).\n- File Access Patterns: Bulk access to multiple files in a short time (e.g., mass access to documents on a file server).\n- File Access via Network: Files on a network share are accessed remotely (e.g., logs of SMB file access).", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", - "enterprise-attack" + "enterprise-attack", + "mobile-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { - "name": "File", - "channel": "None" + "name": "macOS:unifiedlog", + "channel": "looking for file access to scripts with abnormal encoding patterns" }, { - "name": "m365:unified", - "channel": "FileAccessed, MailboxAccessed" + "name": "android:logcat", + "channel": "READ or COPY operations where path matches external/shared locations of other apps (e.g., /storage/emulated/0/Android/data//files/, /storage/emulated/0/Download//*)" }, { - "name": "auditd:SYSCALL", - "channel": "open, read, or stat of browser config files" + "name": "android:logcat", + "channel": "KeyChain/AndroidKeyStore read of token alias" }, { - "name": "macos:unifiedlog", - "channel": "Access to ~/Library/*/Safari or Chrome directories by non-browser processes" - }, - { - "name": "WinEventLog:Security", - "channel": "EventCode=4663, 4670, 4656" - }, - { - "name": "macos:unifiedlog", - "channel": "file events" - }, - { - "name": "gcp:audit", - "channel": "Write operations to storage" - }, - { - "name": "esxi:vmkernel", - "channel": "VMFS access logs" - }, - { - "name": "macos:endpointsecurity", - "channel": "ES_EVENT_TYPE_NOTIFY_OPEN: Open of .dylib/.so in user-writable locations" - }, - { - "name": "auditd:SYSCALL", - "channel": "open: File access attempt on /tmp/krb5cc_* or /tmp/krb5.ccache" - }, - { - "name": "macos:unifiedlog", - "channel": "Kerberos framework calls to API:{uuid} cache outside normal process lineage" - }, - { - "name": "auditd:SYSCALL", - "channel": "openat" + "name": "android:logcat", + "channel": "READ/LIST/STAT of /sdcard|/storage/emulated/0|/Android/media|/Documents with >N distinct paths in TimeWindow" }, { "name": "auditd:FILE", "channel": "/home/*/.mozilla/firefox/*/logins.json OR /home/*/.config/google-chrome/*/Login Data" }, - { - "name": "macos:unifiedlog", - "channel": "~/Library/Application Support/Google/Chrome/*/Login Data OR ~/Library/Application Support/Firefox/*/logins.json" - }, - { - "name": "auditd:SYSCALL", - "channel": "open" - }, { "name": "auditd:FILE", "channel": "/proc/*/mem read attempt" }, + { + "name": "auditd:FS", + "channel": "read: File access to /proc/modules or /sys/module/" + }, { "name": "auditd:PATH", "channel": "Read access to known backup software configuration files (e.g., /etc/rsnapshot.conf, /opt/veeam/config.ini)" }, { - "name": "macos:unifiedlog", - "channel": "Read access to Time Machine plist files or CCC configurations in ~/Library/Preferences/" + "name": "auditd:PATH", + "channel": "open: Access to sensitive log files (/var/log/auth.log, /var/log/secure, /var/log/syslog)" + }, + { + "name": "auditd:PATH", + "channel": "PATH" + }, + { + "name": "auditd:PATH", + "channel": "file read" + }, + { + "name": "auditd:SYSCALL", + "channel": "open, read, or stat of browser config files" + }, + { + "name": "auditd:SYSCALL", + "channel": "open: File access attempt on /tmp/krb5cc_* or /tmp/krb5.ccache" + }, + { + "name": "auditd:SYSCALL", + "channel": "openat" + }, + { + "name": "auditd:SYSCALL", + "channel": "open" }, { "name": "auditd:SYSCALL", "channel": "open, read" }, - { - "name": "linux:syslog", - "channel": "auth.log or custom tool logs" - }, - { - "name": "fs:fsusage", - "channel": "file" - }, - { - "name": "linux:syslog", - "channel": "/var/log/syslog" - }, - { - "name": "macos:osquery", - "channel": "file_events" - }, { "name": "auditd:SYSCALL", "channel": "open, flock, fcntl, unlink" }, - { - "name": "fs:fsusage", - "channel": "File Access Monitor" - }, - { - "name": "macos:unifiedlog", - "channel": "log stream - file subsystem" - }, { "name": "auditd:SYSCALL", "channel": "read/open of sensitive files" }, - { - "name": "macos:unifiedlog", - "channel": "file read of sensitive directories" - }, - { - "name": "esxi:hostd", - "channel": "datastore file access" - }, { "name": "auditd:SYSCALL", "channel": "Unusual processes accessing or modifying cookie databases" }, - { - "name": "macos:unifiedlog", - "channel": "Abnormal process access to Safari or Chrome cookie storage" - }, { "name": "auditd:SYSCALL", "channel": "PATH records referencing /dev/video*" }, - { - "name": "macos:endpointsecurity", - "channel": "open: Process opens AppleCamera/IOUSB device nodes or AVFoundation frameworks" - }, - { - "name": "ebpf:syscalls", - "channel": "container_file_activity" - }, - { - "name": "fs:fsusage", - "channel": "Disk Activity Tracing" - }, - { - "name": "macos:keychain", - "channel": "Access to Keychain DB or system.keychain" - }, { "name": "auditd:SYSCALL", "channel": "open, read: /etc/ssl/, /etc/pki/, ~/.pki/nssdb/" }, - { - "name": "macos:keychain", - "channel": "~/Library/Keychains, /Library/Keychains" - }, - { - "name": "m365:unified", - "channel": "Bulk downloads or API extractions from Microsoft-hosted data repositories (e.g., Dynamics 365)" - }, - { - "name": "auditd:PATH", - "channel": "open: Access to sensitive log files (/var/log/auth.log, /var/log/secure, /var/log/syslog)" - }, - { - "name": "macos:unifiedlog", - "channel": "open: Access to /var/log/system.log or related security event logs" - }, - { - "name": "azure:activity", - "channel": "CollectGuestLogs: Unexpected collection of guest logs by Azure VM Agent outside normal maintenance windows" - }, - { - "name": "esxi:hostd", - "channel": "read: Access to sensitive log files by non-admin users" - }, { "name": "auditd:SYSCALL", "channel": "Processes reading credential or token cache files" @@ -12715,138 +14231,42 @@ "name": "auditd:SYSCALL", "channel": "read/open of sensitive file directories" }, - { - "name": "esxi:hostd", - "channel": "datastore/log file access" - }, - { - "name": "fs:fsusage", - "channel": "filesystem activity" - }, - { - "name": "WinEventLog:Microsoft-Windows-Windows Defender/Operational", - "channel": "Suspicious file execution on removable media path" - }, - { - "name": "auditd:PATH", - "channel": "PATH" - }, { "name": "auditd:SYSCALL", "channel": "open/read of sensitive config or secret files" }, - { - "name": "macos:unifiedlog", - "channel": "open/read of *.plist or .env files" - }, - { - "name": "ebpf:syscalls", - "channel": "open/read on secret mount paths" - }, - { - "name": "CloudTrail:GetObject", - "channel": "sensitive credential files in buckets or local image storage" - }, { "name": "auditd:SYSCALL", "channel": "open/read of sensitive directories" }, - { - "name": "macos:unifiedlog", - "channel": "read of user document directories" - }, - { - "name": "esxi:syslog", - "channel": "guest OS outbound transfer logs" - }, - { - "name": "fs:fsusage", - "channel": "Filesystem Call Monitoring" - }, - { - "name": "esxi:hostd", - "channel": "vSphere File API Access" - }, { "name": "auditd:SYSCALL", "channel": "open/read: Access to /proc/self/status with focus on TracerPID field" }, - { - "name": "fs:fsusage", - "channel": "read/write" - }, - { - "name": "esxis:vmkernel", - "channel": "Datastore Access" - }, { "name": "auditd:SYSCALL", "channel": "open/read access to ~/.bash_history" }, - { - "name": "macos:endpointsecurity", - "channel": "open or read syscall to ~/.bash_history" - }, - { - "name": "macos:unifiedlog", - "channel": "read access to ~/Library/Keychains/login.keychain-db" - }, { "name": "auditd:SYSCALL", "channel": "open,read" }, - { - "name": "macos:unifiedlog", - "channel": "filesystem and process events" - }, { "name": "auditd:SYSCALL", "channel": "open/read system calls to ~/.bash_history or /etc/shadow" }, - { - "name": "macos:unifiedlog", - "channel": "read access to ~/Library/Keychains or history files by terminal processes" - }, { "name": "auditd:SYSCALL", "channel": "read of /run/secrets or docker volumes by non-entrypoint process" }, - { - "name": "macos:unifiedlog", - "channel": "access to /Volumes/SharePoint or network mount" - }, { "name": "auditd:SYSCALL", "channel": "Reads of ~/.bash_history, ~/.mozilla, or access to /dev/input" }, - { - "name": "macos:unifiedlog", - "channel": "Access to ~/Library/Safari/Bookmarks.plist or recent files" - }, { "name": "auditd:SYSCALL", "channel": "open/read" }, - { - "name": "macos:unifiedlog", - "channel": "access to keychain database" - }, - { - "name": "auditd:PATH", - "channel": "file read" - }, - { - "name": "linux:syslog", - "channel": "kernel messages related to cryptographic operations, module loading, and filesystem access patterns" - }, - { - "name": "fs:fsevents", - "channel": "file system events indicating access to system configuration files and environmental information sources" - }, - { - "name": "macos:endpointsecurity", - "channel": "es_event_open, es_event_exec" - }, { "name": "auditd:SYSCALL", "channel": "open: Access to named pipes or FIFO in /tmp or /dev/shm by unexpected processes" @@ -12855,82 +14275,22 @@ "name": "auditd:SYSCALL", "channel": "open or read to browser cookie storage" }, - { - "name": "fs:fsusage", - "channel": "file open for known browser cookie paths" - }, { "name": "auditd:SYSCALL", "channel": "open, read, mount" }, - { - "name": "fs:fsusage", - "channel": "file reads/writes from /Volumes/" - }, - { - "name": "macos:unifiedlog", - "channel": "log stream - file provider subsystem" - }, { "name": "auditd:SYSCALL", "channel": "file" }, - { - "name": "kubernetes:audit", - "channel": "GET or LIST requests to /var/run/secrets/kubernetes.io/serviceaccount/ followed by access to the Kubernetes API server" - }, { "name": "auditd:SYSCALL", "channel": "Access to /var/lib/sss/secrets/secrets.ldb or .secrets.mkey" }, - { - "name": "fs:quarantine", - "channel": "/var/log/quarantine.log" - }, - { - "name": "desktop:file_manager", - "channel": "nautilus, dolphin, or gvfs logs" - }, - { - "name": "linux:osquery", - "channel": "/proc/*/maps access" - }, { "name": "auditd:SYSCALL", "channel": "open/read of sensitive directories (/etc, /home/*)" }, - { - "name": "macos:unifiedlog", - "channel": "read/write of user documents prior to upload" - }, - { - "name": "esxi:hostd", - "channel": "file copy or datastore upload via HTTPS" - }, - { - "name": "macos:unifiedlog", - "channel": "open/read access to private key files (id_rsa, *.pem, *.p12)" - }, - { - "name": "linux:osquery", - "channel": "None" - }, - { - "name": "macos:osquery", - "channel": "None" - }, - { - "name": "fs:fileevents", - "channel": "File system access events with kFSEventStreamEventFlagItemRemoved, kFSEventStreamEventFlagItemRenamed flags for environmental artifact collection (/System/Library, /usr/sbin, plist files)" - }, - { - "name": "auditd:FS", - "channel": "read: File access to /proc/modules or /sys/module/" - }, - { - "name": "macos:unifiedlog", - "channel": "read: File access to /System/Library/Extensions/ or related kernel extension paths" - }, { "name": "auditd:SYSCALL", "channel": "PATH" @@ -12939,9 +14299,297 @@ "name": "auditd:SYSCALL", "channel": "open/read on ~/.local/share/keepassxc/* OR ~/.password-store/*" }, + { + "name": "auditd:SYSCALL", + "channel": "attempts to read /proc/* entries at scale (openat/getdents64/readlink) or access denied for /proc traversal; correlate to app UID" + }, + { + "name": "azure:activity", + "channel": "CollectGuestLogs: Unexpected collection of guest logs by Azure VM Agent outside normal maintenance windows" + }, + { + "name": "CloudTrail:GetObject", + "channel": "sensitive credential files in buckets or local image storage" + }, + { + "name": "desktop:file_manager", + "channel": "nautilus, dolphin, or gvfs logs" + }, + { + "name": "ebpf:syscalls", + "channel": "container_file_activity" + }, + { + "name": "ebpf:syscalls", + "channel": "open/read on secret mount paths" + }, + { + "name": "esxi:hostd", + "channel": "datastore file access" + }, + { + "name": "esxi:hostd", + "channel": "read: Access to sensitive log files by non-admin users" + }, + { + "name": "esxi:hostd", + "channel": "datastore/log file access" + }, + { + "name": "esxi:hostd", + "channel": "vSphere File API Access" + }, + { + "name": "esxi:hostd", + "channel": "file copy or datastore upload via HTTPS" + }, + { + "name": "esxi:syslog", + "channel": "guest OS outbound transfer logs" + }, + { + "name": "esxi:vmkernel", + "channel": "VMFS access logs" + }, + { + "name": "esxis:vmkernel", + "channel": "Datastore Access" + }, + { + "name": "File", + "channel": "None" + }, + { + "name": "fs:fileevents", + "channel": "File system access events with kFSEventStreamEventFlagItemRemoved, kFSEventStreamEventFlagItemRenamed flags for environmental artifact collection (/System/Library, /usr/sbin, plist files)" + }, + { + "name": "fs:fsevents", + "channel": "file system events indicating access to system configuration files and environmental information sources" + }, + { + "name": "fs:fsusage", + "channel": "file" + }, + { + "name": "fs:fsusage", + "channel": "File Access Monitor" + }, + { + "name": "fs:fsusage", + "channel": "Disk Activity Tracing" + }, + { + "name": "fs:fsusage", + "channel": "filesystem activity" + }, + { + "name": "fs:fsusage", + "channel": "Filesystem Call Monitoring" + }, + { + "name": "fs:fsusage", + "channel": "read/write" + }, + { + "name": "fs:fsusage", + "channel": "file open for known browser cookie paths" + }, + { + "name": "fs:fsusage", + "channel": "file reads/writes from /Volumes/" + }, + { + "name": "fs:quarantine", + "channel": "/var/log/quarantine.log" + }, + { + "name": "gcp:audit", + "channel": "Write operations to storage" + }, + { + "name": "iOS:unifiedlog", + "channel": "READ operations from App Group containers (/var/mobile/Containers/Shared/AppGroup/...) or Files/Photos provider mountpoints, especially when group not owned by bundle" + }, + { + "name": "iOS:unifiedlog", + "channel": "readdir/stat/read of /private/var/mobile/Containers/Shared/AppGroup|/Library/Mobile Documents|/On\\\\ My\\\\ iPhone with >N distinct paths in TimeWindow" + }, + { + "name": "kubernetes:audit", + "channel": "GET or LIST requests to /var/run/secrets/kubernetes.io/serviceaccount/ followed by access to the Kubernetes API server" + }, + { + "name": "linux:osquery", + "channel": "/proc/*/maps access" + }, + { + "name": "linux:osquery", + "channel": "None" + }, + { + "name": "linux:syslog", + "channel": "auth.log or custom tool logs" + }, + { + "name": "linux:syslog", + "channel": "/var/log/syslog" + }, + { + "name": "linux:syslog", + "channel": "kernel messages related to cryptographic operations, module loading, and filesystem access patterns" + }, + { + "name": "m365:unified", + "channel": "FileAccessed, MailboxAccessed" + }, + { + "name": "m365:unified", + "channel": "Bulk downloads or API extractions from Microsoft-hosted data repositories (e.g., Dynamics 365)" + }, + { + "name": "macos:endpointsecurity", + "channel": "ES_EVENT_TYPE_NOTIFY_OPEN: Open of .dylib/.so in user-writable locations" + }, + { + "name": "macos:endpointsecurity", + "channel": "open: Process opens AppleCamera/IOUSB device nodes or AVFoundation frameworks" + }, + { + "name": "macos:endpointsecurity", + "channel": "open or read syscall to ~/.bash_history" + }, + { + "name": "macos:endpointsecurity", + "channel": "es_event_open, es_event_exec" + }, + { + "name": "macos:keychain", + "channel": "Access to Keychain DB or system.keychain" + }, + { + "name": "macos:keychain", + "channel": "~/Library/Keychains, /Library/Keychains" + }, + { + "name": "macos:osquery", + "channel": "file_events" + }, + { + "name": "macos:osquery", + "channel": "None" + }, + { + "name": "macos:unifiedlog", + "channel": "Access to ~/Library/*/Safari or Chrome directories by non-browser processes" + }, + { + "name": "macos:unifiedlog", + "channel": "file events" + }, + { + "name": "macos:unifiedlog", + "channel": "Kerberos framework calls to API:{uuid} cache outside normal process lineage" + }, + { + "name": "macos:unifiedlog", + "channel": "~/Library/Application Support/Google/Chrome/*/Login Data OR ~/Library/Application Support/Firefox/*/logins.json" + }, + { + "name": "macos:unifiedlog", + "channel": "Read access to Time Machine plist files or CCC configurations in ~/Library/Preferences/" + }, + { + "name": "macos:unifiedlog", + "channel": "log stream - file subsystem" + }, + { + "name": "macos:unifiedlog", + "channel": "file read of sensitive directories" + }, + { + "name": "macos:unifiedlog", + "channel": "Abnormal process access to Safari or Chrome cookie storage" + }, + { + "name": "macos:unifiedlog", + "channel": "open: Access to /var/log/system.log or related security event logs" + }, + { + "name": "macos:unifiedlog", + "channel": "open/read of *.plist or .env files" + }, + { + "name": "macos:unifiedlog", + "channel": "read of user document directories" + }, + { + "name": "macos:unifiedlog", + "channel": "read access to ~/Library/Keychains/login.keychain-db" + }, + { + "name": "macos:unifiedlog", + "channel": "filesystem and process events" + }, + { + "name": "macos:unifiedlog", + "channel": "read access to ~/Library/Keychains or history files by terminal processes" + }, + { + "name": "macos:unifiedlog", + "channel": "access to /Volumes/SharePoint or network mount" + }, + { + "name": "macos:unifiedlog", + "channel": "Access to ~/Library/Safari/Bookmarks.plist or recent files" + }, + { + "name": "macos:unifiedlog", + "channel": "access to keychain database" + }, + { + "name": "macos:unifiedlog", + "channel": "log stream - file provider subsystem" + }, + { + "name": "macos:unifiedlog", + "channel": "read/write of user documents prior to upload" + }, + { + "name": "macos:unifiedlog", + "channel": "open/read access to private key files (id_rsa, *.pem, *.p12)" + }, + { + "name": "macos:unifiedlog", + "channel": "read: File access to /System/Library/Extensions/ or related kernel extension paths" + }, { "name": "macos:unifiedlog", "channel": "*.opvault OR *.ldb OR *.kdbx" + }, + { + "name": "macos:unifiedlog", + "channel": "Recent download opened or executed" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application reads multiple local container files, browser-history artifacts, messaging artifacts, or local records in rapid sequence during the collection phase" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application performs burst reads across local system paths, external storage, media directories, cache locations, or local database files within a short interval as the primary collection phase" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application loads executable or library from external or writable directory (e.g., /sdcard/, app cache) prior to execution" + }, + { + "name": "WinEventLog:Microsoft-Windows-Windows Defender/Operational", + "channel": "Suspicious file execution on removable media path" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=4663, 4670, 4656" } ] }, @@ -12961,17 +14609,17 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-23T17:17:05.280Z", "name": "File Creation", "description": "A new file is created on a system or network storage. This action often signifies an operation such as saving a document, writing data, or deploying a file. Logging these events helps identify legitimate or potentially malicious file creation activities. Examples include logging file creation events (e.g., Sysmon Event ID 11 or Linux auditd logs). ", - "x_mitre_data_source_ref": "", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", - "enterprise-attack" + "enterprise-attack", + "mobile-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { @@ -13329,6 +14977,162 @@ { "name": "AWS:CloudTrail", "channel": "PutObject" + }, + { + "name": "android:logcat", + "channel": "App UID writes new file with suspicious extension/location (.tmp, .dat, .enc, /data/data//files/, /sdcard/Download/) and high estimated entropy" + }, + { + "name": "iOS:unifiedlog", + "channel": "NSFileHandle/NSFileManager writes creating high-entropy files within app container (/var/mobile/Containers/Data/Application//tmp|Library/Caches)" + }, + { + "name": "android:logcat", + "channel": "App UID writes edited media to container paths (e.g., /data/data//files/, .../cache/, /storage/emulated/0/Pictures//) with high delta in size vs. original and elevated estimated segment entropy " + }, + { + "name": "android:logcat", + "channel": "Create/write of high-entropy files in /data/data//(files|cache)/ or /storage/emulated/0/<...> with .dex/.so/.jar/.tmp/.bin" + }, + { + "name": "iOS:unifiedlog", + "channel": "Create/write of high-entropy Mach-O/bundle or generic blob in /var/mobile/Containers/Data/Application//(tmp|Library/Caches)/" + }, + { + "name": "android:logcat", + "channel": "Create/write under /data/data//(files|cache)/ or /storage/emulated/0/ with extension .dex/.jar/.so/.zip/.tmp/.js and elevated entropy" + }, + { + "name": "iOS:unifiedlog", + "channel": "Create/write in /var/mobile/Containers/Data/Application//(tmp|Library/Caches)/ for .js/.bundle/.dylib/.zip with elevated entropy" + }, + { + "name": "android:logcat", + "channel": "CREATE/WRITE of archive or container (.zip/.gz/.7z/.db copy) that aggregates files pulled from other-package paths" + }, + { + "name": "iOS:unifiedlog", + "channel": "CREATE/WRITE of archive/container (.zip/.gz/.7z/.db export) aggregating recently read items" + }, + { + "name": "android:logcat", + "channel": "CREATE/WRITE to app-writable DB/file path indicating clipboard dump (e.g., clipboard.db, clip_*.txt)" + }, + { + "name": "iOS:unifiedlog", + "channel": "CREATE/WRITE of clipboard dump artifacts in container (clipboard.db, clip_*.txt, caches)" + }, + { + "name": "android:logcat", + "channel": "CREATE/WRITE paths like /data/data//files/(keys|inputs)/.*\\\\.db|\\\\.txt|\\\\.log" + }, + { + "name": "iOS:unifiedlog", + "channel": "CREATE/WRITE clipboard/keylog artifacts (clipboard.db, keys_*.txt) in container" + }, + { + "name": "android:logcat", + "channel": "CREATE/WRITE to /data/data//(files|databases)/(keys|inputs|clipboard).*\\\\.(db|sqlite|txt|log)" + }, + { + "name": "iOS:unifiedlog", + "channel": "CREATE/WRITE of keylog artifacts (keys_*.txt, inputs.db) within app/keyboard container" + }, + { + "name": "android:logcat", + "channel": "CREATE/WRITE to /data/data//(files|databases)/(creds|form|prompt).*\\\\.(db|sqlite|json|txt)" + }, + { + "name": "iOS:unifiedlog", + "channel": "CREATE/WRITE of form cache/credential-like artifacts (forms.db, creds.json) in container" + }, + { + "name": "android:logcat", + "channel": "CREATE/WRITE /data/data//(files|databases)/(app_inventory|pkg_list).*\\\\.(json|txt|db)" + }, + { + "name": "iOS:unifiedlog", + "channel": "CREATE/WRITE container paths like /Library/Caches/app_inventory.*\\\\.(json|plist|db)" + }, + { + "name": "android:logcat", + "channel": "CREATE/WRITE /data/data//(files|databases)/(security_inventory|policy_audit).*\\\\.(json|txt|db|plist)" + }, + { + "name": "iOS:unifiedlog", + "channel": "CREATE/WRITE of /Library/Caches/security_inventory.*\\\\.(json|plist|db)" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Browser/WebView process creates downloaded payloads, temporary files, dropped archives, or unusual cached web artifacts shortly after visiting external content" + }, + { + "name": "MobileEDR:telemetry", + "channel": "File writes from removable-media or USB-associated paths into download, package staging, temp, or application-accessible storage shortly after USB connection" + }, + { + "name": "MobileEDR:telemetry", + "channel": "large file write originating from /mnt/usb or external mounted storage" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Recently installed or updated trusted app writes staging, cache, buffer, or export artifacts inconsistent with its approved function, especially when temporally adjacent to sensitive resource access or outbound transfer" + }, + { + "name": "MobileEDR:telemetry", + "channel": "App stages, buffers, caches, or exports data locally immediately before communication with legitimate external web-service endpoints in a way inconsistent with normal sync or offline workflow" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Burst write to cache, buffer, temp, staging, or export path occurred between inbound retrieval and outbound write to same public web-service class" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Burst write to media, cache, temp, export, or staging path occurred during or immediately after camera session from same app identity" + }, + { + "name": "MobileEDR:telemetry", + "channel": "App writes encoded/encrypted blobs (high entropy data) to local storage or memory buffers prior to transmission" + }, + { + "name": "MobileEDR:telemetry", + "channel": "App writes high-entropy encrypted blobs to local storage or memory buffers prior to transmission" + }, + { + "name": "MobileEDR:telemetry", + "channel": "App writes asymmetric-encrypted blobs or encoded ciphertext to local buffers or files prior to transmission" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application reads multiple user-data files, media objects, message stores, or app-private records in burst sequence immediately before packaging or encryption activity" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application writes archive-like container or high-entropy packaged blob to app storage, cache, temp path, or shared external path after burst collection activity" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application writes new large container, temp package, or high-entropy blob after clustered local data access and before outbound communication" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application performs burst reads across local system paths, external storage, media directories, cache locations, or local database files within a short interval as the primary collection phase" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application writes newly retrieved binary, archive, script-like asset, overlay content, library, or opaque payload to app-private, cache, temp, or shared external path as the primary local effect of transfer" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Managed app writes newly retrieved container-local asset, dylib-like resource, archive, or opaque payload shortly after remote retrieval as the strongest local effect" + }, + { + "name": "MobileEDR:telemetry", + "channel": "APK, DEX, native library, or package-associated executable content is written, expanded, or swapped in app package paths, staging paths, or installer cache immediately before or during application replacement" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application modifies protected configuration, local control files, security settings, or tool-related data immediately before security service degradation or non-reporting state" } ] }, @@ -13348,7 +15152,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T15:14:34.343Z", + "modified": "2026-04-22T14:48:50.367Z", "name": "Network Traffic Content", "description": "The full packet capture (PCAP) or session data that logs both protocol headers and payload content. This allows analysts to inspect command and control (C2) traffic, exfiltration, and other suspicious activity within network communications. Unlike metadata-based logs, full content analysis enables deeper protocol inspection, payload decoding, and forensic investigations.\n\n*Data Collection Measures:*\n\n- Network Packet Capture (Full Content Logging)\n - Wireshark / tcpdump / tshark\n - Full packet captures (PCAP files) for manual analysis or IDS correlation. `tcpdump -i eth0 -w capture.pcap`\n - Zeek (formerly Bro)\n - Extracts protocol headers and payload details into structured logs. `echo \"redef Log::default_store = Log::ASCII;\" > local.zeek | zeek -Cr capture.pcap local.zeek`\n - Suricata / Snort (IDS/IPS with PCAP Logging)\n - Deep packet inspection (DPI) with signature-based and behavioral analysis. `suricata -c /etc/suricata/suricata.yaml -i eth0 -l /var/log/suricata`\n- Host-Based Collection\n - Sysmon Event ID 22 \u2013 DNS Query Logging, Captures DNS requests made by processes, useful for detecting C2 domains.\n - Sysmon Event ID 3 \u2013 Network Connection Initiated, Logs process-to-network connection relationships.\n - AuditD (Linux) \u2013 syscall=connect, Monitors outbound network requests from processes. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity`\n- Cloud & SaaS Traffic Collection\n - AWS VPC Flow Logs / Azure NSG Flow Logs / Google VPC Flow Logs, Captures metadata about inbound/outbound network traffic.\n - Cloud IDS (AWS GuardDuty, Azure Sentinel, Google Chronicle), Detects malicious activity in cloud environments by analyzing network traffic patterns.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -13358,20 +15162,408 @@ "mobile-attack", "enterprise-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { - "name": "Network Traffic", + "name": "Traffic", "channel": "None" }, + { + "name": "ALB:HTTPLogs", + "channel": "AWS ALB/ELB/GCP/Azure Application Gateway HTTP logs with unusual methods, long URIs, serialized payloads, 4xx/5xx bursts" + }, + { + "name": "apache:access_log", + "channel": "Unusual HTTP POST or PUT requests to paths such as '/uploads/', '/admin/', or CMS plugin folders" + }, + { + "name": "API:ConfigRepoAudit", + "channel": "Access to configuration repository endpoints, unusual enumeration requests or mass downloads" + }, + { + "name": "auditd:SYSCALL", + "channel": "setsockopt, ioctl modifying ARP entries" + }, + { + "name": "AWS:VPCFlowLogs", + "channel": "Traffic between instances" + }, + { + "name": "AWS:VPCFlowLogs", + "channel": "Large volume of malformed or synthetic payloads to application endpoints prior to failure" + }, + { + "name": "AWS:VPCFlowLogs", + "channel": "Unusual volume of data transferred from S3 storage endpoints to non-corporate IPs" + }, + { + "name": "AWS:VPCFlowLogs", + "channel": "High volume internal-to-internal IP transfer or cross-account cloud transfer" + }, + { + "name": "azure:activity", + "channel": "networkInsightsLogs" + }, + { + "name": "azure:vpcflow", + "channel": "HTTP requests to 169.254.169.254 or Azure Metadata endpoints" + }, + { + "name": "container:proxy", + "channel": "outbound/inbound network activity from spawned pods" + }, + { + "name": "docker:events", + "channel": "remote API calls to /containers/create or /containers/{id}/start" + }, + { + "name": "docker:stats", + "channel": "unusual network TX/RX byte deltas" + }, { "name": "ebpf:syscalls", "channel": "Process within container accesses link-local address 169.254.169.254" }, { - "name": "WebProxy:AccessLogs", - "channel": "SSRF-like patterns accessing metadata endpoint through proxy (e.g., Host: 169.254.169.254)" + "name": "EDR:hunting", + "channel": "Advanced Hunting: DeviceProcessEvents + DeviceNetworkEvents" + }, + { + "name": "esxcli:network", + "channel": "Socket sessions with randomized payloads inconsistent with TLS" + }, + { + "name": "esxcli:network", + "channel": "listening sockets bound to non-standard ports" + }, + { + "name": "esxcli:network", + "channel": "listening sockets bound with non-standard encapsulated protocols" + }, + { + "name": "esxcli:network", + "channel": "Socket inspection showing RSA key exchange outside baseline endpoints" + }, + { + "name": "esxi:vmkernel", + "channel": "Network activity" + }, + { + "name": "esxi:vmkernel", + "channel": "Outbound traffic using encoded payloads post-login" + }, + { + "name": "esxi:vmkernel", + "channel": "HTTPS POST connections to webhook endpoints" + }, + { + "name": "esxi:vmkernel", + "channel": "Inspection of sockets showing encrypted sessions from non-baseline processes" + }, + { + "name": "esxi:vmkernel", + "channel": "HTTPS POST connections to pastebin-like domains" + }, + { + "name": "esxi:vmkernel", + "channel": "network stack module logs" + }, + { + "name": "esxi:vmkernel", + "channel": "Suspicious traffic filtered or redirected by VM networking stack" + }, + { + "name": "esxi:vmkernel", + "channel": "VMCI syslog entries" + }, + { + "name": "esxi:vob", + "channel": "NFS/remote access logs" + }, + { + "name": "etw:Microsoft-Windows-NDIS-PacketCapture", + "channel": "TLS Handshake/Network Flow" + }, + { + "name": "etw:Microsoft-Windows-WinINet", + "channel": "HTTPS Inspection" + }, + { + "name": "etw:Microsoft-Windows-WinINet", + "channel": "WinINet API telemetry" + }, + { + "name": "gcp:audit", + "channel": "network.query*" + }, + { + "name": "gcp:vpcflow", + "channel": "first 5m egress to unknown ASNs" + }, + { + "name": "IDS:TLSInspection", + "channel": "Malformed certs, incomplete asymmetric handshakes, or invalid CAs" + }, + { + "name": "iOS:unifiedlog", + "channel": "Per-app VPN flow logging indicating opaque/archived payload transfer preceding local decode" + }, + { + "name": "iOS:unifiedlog", + "channel": "Per-App VPN flow with code-like content types (application/octet-stream, application/zip, text/javascript, application/x-mach-o)" + }, + { + "name": "iOS:unifiedlog", + "channel": "WKWebView navigation to domain visually similar to target brand (IDN/punycode/alike score)" + }, + { + "name": "linux:syslog", + "channel": "Query to suspicious domain with high entropy or low reputation" + }, + { + "name": "linux:syslog", + "channel": "curl|wget|python .*http" + }, + { + "name": "linux:syslog", + "channel": "Unexpected SQL or application log entries showing tampered or malformed data" + }, + { + "name": "linux:syslog", + "channel": "Integrity mismatch warnings or malformed packets detected" + }, + { + "name": "linux:syslog", + "channel": "DNS response IPs followed by connections to non-standard calculated ports" + }, + { + "name": "linux:syslog", + "channel": "Multiple NXDOMAIN responses and high entropy domains" + }, + { + "name": "m365:office", + "channel": "External HTTP/DNS connection from Office binary shortly after macro trigger" + }, + { + "name": "macos:unifiedlog", + "channel": "process + network metrics correlation for bandwidth saturation" + }, + { + "name": "macos:unifiedlog", + "channel": "DNS query with pseudo-random subdomain patterns" + }, + { + "name": "macos:unifiedlog", + "channel": "network flow" + }, + { + "name": "macos:unifiedlog", + "channel": "curl|osascript.*open location" + }, + { + "name": "macos:unifiedlog", + "channel": "subsystem: com.apple.network" + }, + { + "name": "macos:unifiedlog", + "channel": "open URL|clicked link|LSQuarantineAttach" + }, + { + "name": "macos:unifiedlog", + "channel": "None" + }, + { + "name": "macos:unifiedlog", + "channel": "Connections to suspicious domains with mismatched certificate or unusual patterns" + }, + { + "name": "macos:unifiedlog", + "channel": "HTTP POST with encoded content in user-agent or cookie field" + }, + { + "name": "macos:unifiedlog", + "channel": "Suspicious outbound HTTPS requests to domains flagged as newly registered or untrusted after spearphishing message interaction" + }, + { + "name": "macos:unifiedlog", + "channel": "log stream (subsystem: com.apple.system.networking)" + }, + { + "name": "macos:unifiedlog", + "channel": "Encrypted connection with anomalous payload entropy" + }, + { + "name": "macos:unifiedlog", + "channel": "Rapid incoming TLS handshakes or HTTP requests in quick succession" + }, + { + "name": "macos:unifiedlog", + "channel": "network, socket, and http logs" + }, + { + "name": "macos:unifiedlog", + "channel": "DNS responses followed by connections to ports outside standard ranges" + }, + { + "name": "macos:unifiedlog", + "channel": "Persistent outbound traffic to mining domains" + }, + { + "name": "macos:unifiedlog", + "channel": "Encrypted session initiation by unexpected binary" + }, + { + "name": "macos:unifiedlog", + "channel": "eventMessage = 'promiscuous'" + }, + { + "name": "macos:unifiedlog", + "channel": "outbound HTTPS connections to code repository APIs" + }, + { + "name": "macos:unifiedlog", + "channel": "eventMessage = 'open', 'sendto', 'connect'" + }, + { + "name": "macos:unifiedlog", + "channel": "dns-sd, mDNSResponder, socket activity" + }, + { + "name": "macos:unifiedlog", + "channel": "process + network activity" + }, + { + "name": "macos:unifiedlog", + "channel": "subsystem=com.apple.WebKit" + }, + { + "name": "macos:unifiedlog", + "channel": "subsystem: com.apple.WebKit or com.apple.WebKit.Networking" + }, + { + "name": "macos:unifiedlog", + "channel": "encrypted outbound traffic carrying unexpected application data" + }, + { + "name": "macos:unifiedlog", + "channel": "Persistent outbound connections with consistent periodicity" + }, + { + "name": "macos:unifiedlog", + "channel": "TLS connections with abnormal handshake sequence or self-signed cert" + }, + { + "name": "macos:unifiedlog", + "channel": "Web server process initiating outbound TCP connections not tied to normal server traffic" + }, + { + "name": "macos:unifiedlog", + "channel": "outbound TLS connections to cloud storage providers" + }, + { + "name": "macos:unifiedlog", + "channel": "outbound HTTPS connections to cloud storage APIs" + }, + { + "name": "macos:unifiedlog", + "channel": "process, network" + }, + { + "name": "macos:unifiedlog", + "channel": "process = 'ssh' OR eventMessage CONTAINS 'ssh'" + }, + { + "name": "Netfilter/iptables", + "channel": "Forwarded packets log" + }, + { + "name": "Network Traffic", + "channel": "None" + }, + { + "name": "networkconfig ", + "channel": "interface flag PROMISC, netstat | ip link | ethtool" + }, + { + "name": "networkdevice:config", + "channel": "NAT table modification (add/update/delete rule)" + }, + { + "name": "networkdevice:IDS", + "channel": "content inspection / PCAP / HTTP body" + }, + { + "name": "networkdevice:syslog", + "channel": "ACL/Firewall rule modification or new route injection" + }, + { + "name": "networkdevice:syslog", + "channel": "config change (e.g., logging buffered, pcap buffers)" + }, + { + "name": "networkdevice:syslog", + "channel": "Authentication failures, unexpected community string usage, or unauthorized SNMPv1/v2 requests" + }, + { + "name": "networkdevice:syslog", + "channel": "Authentication failures or unusual community string usage in SNMP queries" + }, + { + "name": "NSM:Connections", + "channel": "Symmetric encryption detected without TLS handshake sequence" + }, + { + "name": "NSM:Connections", + "channel": "TLS handshake + HTTP headers" + }, + { + "name": "NSM:Connections", + "channel": "Abnormal certificate chains or non-standard ports carrying TLS" + }, + { + "name": "NSM:Connections", + "channel": "Unusual POST requests to admin or upload endpoints" + }, + { + "name": "NSM:Connections", + "channel": "Outbound connections to internal enterprise services exhibiting anomalous protocol behavior, malformed sessions, or exploit-consistent traffic patterns" + }, + { + "name": "NSM:Content", + "channel": "SSL Certificate Metadata" + }, + { + "name": "NSM:Content", + "channel": "HTTP Header Metadata" + }, + { + "name": "NSM:Content", + "channel": "TLS Fingerprint and Certificate Analysis" + }, + { + "name": "NSM:Content", + "channel": "Traffic on RPC DRSUAPI" + }, + { + "name": "NSM:Firewall", + "channel": "TLS/HTTP inspection" + }, + { + "name": "NSM:Firewall", + "channel": "High rate of inbound TCP SYN or ACK packets with missing 3-way handshake completion" + }, + { + "name": "NSM:Firewall", + "channel": "Anomalous TCP SYN or ACK spikes from specific source or interface" + }, + { + "name": "NSM:Firewall", + "channel": "Outbound encrypted traffic" + }, + { + "name": "NSM:Firewall", + "channel": "ICMP/UDP protocol anomaly" }, { "name": "NSM:Flow", @@ -13385,14 +15577,6 @@ "name": "NSM:Flow", "channel": "mqtt.log, xmpp.log, amqp.log" }, - { - "name": "networkdevice:syslog", - "channel": "ACL/Firewall rule modification or new route injection" - }, - { - "name": "m365:office", - "channel": "External HTTP/DNS connection from Office binary shortly after macro trigger" - }, { "name": "NSM:Flow", "channel": "TCP/UDP" @@ -13409,10 +15593,6 @@ "name": "NSM:Flow", "channel": "session behavior" }, - { - "name": "esxi:vmkernel", - "channel": "Network activity" - }, { "name": "NSM:Flow", "channel": "External C2 channel over TLS" @@ -13449,34 +15629,10 @@ "name": "NSM:Flow", "channel": "http.log, ssl.log, websocket.log" }, - { - "name": "macos:unifiedlog", - "channel": "process + network metrics correlation for bandwidth saturation" - }, - { - "name": "docker:stats", - "channel": "unusual network TX/RX byte deltas" - }, - { - "name": "etw:Microsoft-Windows-WinINet", - "channel": "HTTPS Inspection" - }, { "name": "NSM:Flow", "channel": "ssl.log" }, - { - "name": "linux:syslog", - "channel": "Query to suspicious domain with high entropy or low reputation" - }, - { - "name": "macos:unifiedlog", - "channel": "DNS query with pseudo-random subdomain patterns" - }, - { - "name": "azure:vpcflow", - "channel": "HTTP requests to 169.254.169.254 or Azure Metadata endpoints" - }, { "name": "NSM:Flow", "channel": "Browser connections to known C2 or dynamic DNS domains" @@ -13489,42 +15645,14 @@ "name": "NSM:Flow", "channel": "HTTP " }, - { - "name": "macos:unifiedlog", - "channel": "network flow" - }, - { - "name": "linux:syslog", - "channel": "curl|wget|python .*http" - }, - { - "name": "macos:unifiedlog", - "channel": "curl|osascript.*open location" - }, { "name": "NSM:Flow", "channel": "query: High-volume LDAP traffic with filters targeting groupPolicyContainer attributes" }, - { - "name": "etw:Microsoft-Windows-NDIS-PacketCapture", - "channel": "TLS Handshake/Network Flow" - }, { "name": "NSM:Flow", "channel": "HTTP/TLS Logs" }, - { - "name": "macos:unifiedlog", - "channel": "subsystem: com.apple.network" - }, - { - "name": "linux:syslog", - "channel": "Unexpected SQL or application log entries showing tampered or malformed data" - }, - { - "name": "EDR:hunting", - "channel": "Advanced Hunting: DeviceProcessEvents + DeviceNetworkEvents" - }, { "name": "NSM:Flow", "channel": "Suspicious URL patterns, uncommon TLDs, short-lived domains, URL shorteners; HTTP method GET/POST" @@ -13533,10 +15661,6 @@ "name": "NSM:Flow", "channel": "Suspicious URL patterns, uncommon TLDs, URL shorteners" }, - { - "name": "macos:unifiedlog", - "channel": "open URL|clicked link|LSQuarantineAttach" - }, { "name": "NSM:Flow", "channel": "Suspicious GET/POST; downloader patterns" @@ -13549,26 +15673,10 @@ "name": "NSM:Flow", "channel": "remote login and transfer" }, - { - "name": "esxi:vob", - "channel": "NFS/remote access logs" - }, - { - "name": "AWS:VPCFlowLogs", - "channel": "Traffic between instances" - }, { "name": "NSM:Flow", "channel": "conn.log" }, - { - "name": "WinEventLog:System", - "channel": "EventCode=5005 (WLAN), EventCode=302 (Bluetooth)" - }, - { - "name": "macos:unifiedlog", - "channel": "None" - }, { "name": "NSM:Flow", "channel": "Suspicious long-lived or reattached remote desktop sessions from unexpected IPs" @@ -13585,10 +15693,6 @@ "name": "NSM:Flow", "channel": "Requests towards cloud metadata or command & control from pod IPs" }, - { - "name": "ALB:HTTPLogs", - "channel": "AWS ALB/ELB/GCP/Azure Application Gateway HTTP logs with unusual methods, long URIs, serialized payloads, 4xx/5xx bursts" - }, { "name": "NSM:Flow", "channel": "Connections to TCP 427 (SLP) or vCenter web services from untrusted sources" @@ -13609,10 +15713,6 @@ "name": "NSM:Flow", "channel": "SMB2_LOGOFF/SMB_TREE_DISCONNECT" }, - { - "name": "macos:unifiedlog", - "channel": "Connections to suspicious domains with mismatched certificate or unusual patterns" - }, { "name": "NSM:Flow", "channel": "Unusual Base64-encoded content in URI, headers, or POST body" @@ -13621,18 +15721,6 @@ "name": "NSM:Flow", "channel": "Base64 strings or gzip in URI, headers, or POST body" }, - { - "name": "macos:unifiedlog", - "channel": "HTTP POST with encoded content in user-agent or cookie field" - }, - { - "name": "esxi:vmkernel", - "channel": "Outbound traffic using encoded payloads post-login" - }, - { - "name": "macos:unifiedlog", - "channel": "Suspicious outbound HTTPS requests to domains flagged as newly registered or untrusted after spearphishing message interaction" - }, { "name": "NSM:Flow", "channel": "Inbound connections to 445, 3389, 5985-5986 with high error/connection-reset rate, followed by new outbound sessions from the same host to internal assets within short interval." @@ -13669,10 +15757,6 @@ "name": "NSM:Flow", "channel": "LDAP Query" }, - { - "name": "macos:unifiedlog", - "channel": "log stream (subsystem: com.apple.system.networking)" - }, { "name": "NSM:Flow", "channel": "smtp.log" @@ -13685,18 +15769,6 @@ "name": "NSM:Flow", "channel": "remote CLI session detection" }, - { - "name": "macos:unifiedlog", - "channel": "Encrypted connection with anomalous payload entropy" - }, - { - "name": "esxcli:network", - "channel": "Socket sessions with randomized payloads inconsistent with TLS" - }, - { - "name": "NSM:Connections", - "channel": "Symmetric encryption detected without TLS handshake sequence" - }, { "name": "NSM:Flow", "channel": "http.log, ftp.log" @@ -13709,10 +15781,6 @@ "name": "NSM:Flow", "channel": "large HTTPS POST requests to webhook endpoints" }, - { - "name": "esxi:vmkernel", - "channel": "HTTPS POST connections to webhook endpoints" - }, { "name": "NSM:Flow", "channel": "Single, low-volume inbound packet (REJ/S0/OTH or uncommon dport/protocol) from src_ip followed by outbound SF connection to src_ip." @@ -13725,18 +15793,10 @@ "name": "NSM:Flow", "channel": "Inbound one-off packet to uncommon port \u2192 outbound SF to same src_ip within TimeWindow." }, - { - "name": "networkdevice:config", - "channel": "NAT table modification (add/update/delete rule)" - }, { "name": "NSM:Flow", "channel": "large upload to firmware interface port or path" }, - { - "name": "macos:unifiedlog", - "channel": "Rapid incoming TLS handshakes or HTTP requests in quick succession" - }, { "name": "NSM:Flow", "channel": "http.request: HTTP requests and responses for specific script resources, unexpected content-types (application/octet-stream for script URLs), suspicious referrers, or obfuscated javascript resources" @@ -13749,34 +15809,14 @@ "name": "NSM:Flow", "channel": "HTTP/HTTPS requests for script resources flagged by content inspection (excessive obfuscation, eval usage, unusual redirects)" }, - { - "name": "NSM:Connections", - "channel": "TLS handshake + HTTP headers" - }, { "name": "NSM:Flow", "channel": "ssl.log + http.log" }, - { - "name": "macos:unifiedlog", - "channel": "network, socket, and http logs" - }, - { - "name": "NSM:Firewall", - "channel": "TLS/HTTP inspection" - }, { "name": "NSM:Flow", "channel": "http/file-xfer: Outbound transfer of large video-like MIME types soon after capture" }, - { - "name": "container:proxy", - "channel": "outbound/inbound network activity from spawned pods" - }, - { - "name": "esxcli:network", - "channel": "listening sockets bound to non-standard ports" - }, { "name": "NSM:Flow", "channel": "Outbound SCP, TFTP, or FTP sessions carrying configuration file content" @@ -13797,10 +15837,6 @@ "name": "NSM:Flow", "channel": "Transferred file observations" }, - { - "name": "apache:access_log", - "channel": "Unusual HTTP POST or PUT requests to paths such as '/uploads/', '/admin/', or CMS plugin folders" - }, { "name": "NSM:Flow", "channel": "http::post: Outbound HTTP POST from host shortly after DB export activity" @@ -13821,50 +15857,14 @@ "name": "NSM:Flow", "channel": "New VM egress to crypto-mining pools or non-approved Internet ranges within minutes of boot" }, - { - "name": "docker:events", - "channel": "remote API calls to /containers/create or /containers/{id}/start" - }, { "name": "NSM:Flow", "channel": "http::request: Network connection to package registry or C2 from interpreter shortly after install" }, - { - "name": "linux:syslog", - "channel": "Integrity mismatch warnings or malformed packets detected" - }, { "name": "NSM:Flow", "channel": "http::request: Outbound HTTP initiated by Python interpreter" }, - { - "name": "WinEventLog:Sysmon", - "channel": "Outbound requests with forged tokens/cookies in headers" - }, - { - "name": "linux:syslog", - "channel": "DNS response IPs followed by connections to non-standard calculated ports" - }, - { - "name": "macos:unifiedlog", - "channel": "DNS responses followed by connections to ports outside standard ranges" - }, - { - "name": "macos:unifiedlog", - "channel": "Persistent outbound traffic to mining domains" - }, - { - "name": "macos:unifiedlog", - "channel": "Encrypted session initiation by unexpected binary" - }, - { - "name": "esxi:vmkernel", - "channel": "Inspection of sockets showing encrypted sessions from non-baseline processes" - }, - { - "name": "NSM:Connections", - "channel": "Abnormal certificate chains or non-standard ports carrying TLS" - }, { "name": "NSM:Flow", "channel": "DrsAddEntry, DrsReplicaAdd, GetNCChanges calls between non-DC and DCs." @@ -13873,10 +15873,6 @@ "name": "NSM:Flow", "channel": "large HTTPS POST requests to text storage domains" }, - { - "name": "esxi:vmkernel", - "channel": "HTTPS POST connections to pastebin-like domains" - }, { "name": "NSM:Flow", "channel": "Unexpected ARP replies or DNS responses inconsistent with authoritative servers" @@ -13889,38 +15885,6 @@ "name": "NSM:Flow", "channel": "Unusual request pattern leading up to service crash (e.g., malformed or oversized payload)" }, - { - "name": "AWS:VPCFlowLogs", - "channel": "Large volume of malformed or synthetic payloads to application endpoints prior to failure" - }, - { - "name": "networkconfig ", - "channel": "interface flag PROMISC, netstat | ip link | ethtool" - }, - { - "name": "macos:unifiedlog", - "channel": "eventMessage = 'promiscuous'" - }, - { - "name": "networkdevice:syslog", - "channel": "config change (e.g., logging buffered, pcap buffers)" - }, - { - "name": "macos:unifiedlog", - "channel": "outbound HTTPS connections to code repository APIs" - }, - { - "name": "azure:activity", - "channel": "networkInsightsLogs" - }, - { - "name": "gcp:audit", - "channel": "network.query*" - }, - { - "name": "WinEventLog:Microsoft-Windows-Windows Defender/Operational", - "channel": "Unusual external domain access" - }, { "name": "NSM:Flow", "channel": "conn.log or http.log" @@ -13961,18 +15925,10 @@ "name": "NSM:Flow", "channel": "conn.log + files.log + ssl.log" }, - { - "name": "macos:unifiedlog", - "channel": "eventMessage = 'open', 'sendto', 'connect'" - }, { "name": "NSM:Flow", "channel": "HTTPS or custom protocol traffic with large payloads" }, - { - "name": "esxi:vmkernel", - "channel": "network stack module logs" - }, { "name": "NSM:Flow", "channel": "Unexpected script or binary content returned in HTTP response body" @@ -13985,50 +15941,18 @@ "name": "NSM:Flow", "channel": "Content injection observed in HTTPS responses with mismatched certificates or altered payloads" }, - { - "name": "NSM:Firewall", - "channel": "High rate of inbound TCP SYN or ACK packets with missing 3-way handshake completion" - }, - { - "name": "NSM:Firewall", - "channel": "Anomalous TCP SYN or ACK spikes from specific source or interface" - }, - { - "name": "saas:confluence", - "channel": "REST API access from non-browser agents" - }, - { - "name": "Netfilter/iptables", - "channel": "Forwarded packets log" - }, { "name": "NSM:Flow", "channel": "Relay patterns across IP hops" }, - { - "name": "NSM:Firewall", - "channel": "Outbound encrypted traffic" - }, { "name": "NSM:Flow", "channel": "ldap.log" }, - { - "name": "macos:unifiedlog", - "channel": "dns-sd, mDNSResponder, socket activity" - }, - { - "name": "networkdevice:IDS", - "channel": "content inspection / PCAP / HTTP body" - }, { "name": "NSM:Flow", "channel": "Probe responses from unauthorized APs responding to client probe requests" }, - { - "name": "auditd:SYSCALL", - "channel": "setsockopt, ioctl modifying ARP entries" - }, { "name": "NSM:Flow", "channel": "Excessive gratuitous ARP replies on local subnet" @@ -14053,10 +15977,6 @@ "name": "NSM:Flow", "channel": "Encrypted tunnels or proxy traffic to non-standard destinations" }, - { - "name": "esxi:vmkernel", - "channel": "Suspicious traffic filtered or redirected by VM networking stack" - }, { "name": "NSM:Flow", "channel": "large transfer from management IPs to unauthorized host" @@ -14081,10 +16001,6 @@ "name": "NSM:Flow", "channel": "ftp.log, conn.log, smb_files.log" }, - { - "name": "linux:syslog", - "channel": "Multiple NXDOMAIN responses and high entropy domains" - }, { "name": "NSM:Flow", "channel": "SSL/TLS Inspection or PCAP" @@ -14093,10 +16009,6 @@ "name": "NSM:Flow", "channel": "conn.log, ssl.log" }, - { - "name": "macos:unifiedlog", - "channel": "process + network activity" - }, { "name": "NSM:Flow", "channel": "http, dns, smb, ssl logs" @@ -14109,10 +16021,6 @@ "name": "NSM:Flow", "channel": "conn.log, http.log, dns.log, ssl.log" }, - { - "name": "networkdevice:syslog", - "channel": "Authentication failures, unexpected community string usage, or unauthorized SNMPv1/v2 requests" - }, { "name": "NSM:Flow", "channel": "ICMP/UDP traffic (Wireshark, Suricata, Zeek)" @@ -14125,14 +16033,6 @@ "name": "NSM:Flow", "channel": "ICMP/UDP monitoring (tcpdump, Wireshark, Zeek)" }, - { - "name": "esxi:vmkernel", - "channel": "VMCI syslog entries" - }, - { - "name": "NSM:Firewall", - "channel": "ICMP/UDP protocol anomaly" - }, { "name": "NSM:Flow", "channel": "Unusual responses to LLMNR (UDP 5355) or NBT-NS (UDP 137) queries from unauthorized hosts" @@ -14157,42 +16057,14 @@ "name": "NSM:Flow", "channel": "Network Capture TLS/HTTP" }, - { - "name": "NSM:Content", - "channel": "SSL Certificate Metadata" - }, - { - "name": "NSM:Content", - "channel": "HTTP Header Metadata" - }, - { - "name": "NSM:Content", - "channel": "TLS Fingerprint and Certificate Analysis" - }, { "name": "NSM:Flow", "channel": "container egress to unknown IPs/domains" }, - { - "name": "gcp:vpcflow", - "channel": "first 5m egress to unknown ASNs" - }, { "name": "NSM:Flow", "channel": "HTTP Request Logging" }, - { - "name": "WinEventLog:iis", - "channel": "IIS Logs" - }, - { - "name": "macos:unifiedlog", - "channel": "subsystem=com.apple.WebKit" - }, - { - "name": "AWS:VPCFlowLogs", - "channel": "Unusual volume of data transferred from S3 storage endpoints to non-corporate IPs" - }, { "name": "NSM:Flow", "channel": "ssh connections originating from third-party CIDRs" @@ -14217,10 +16089,6 @@ "name": "NSM:Flow", "channel": "Outbound HTTP/S" }, - { - "name": "macos:unifiedlog", - "channel": "subsystem: com.apple.WebKit or com.apple.WebKit.Networking" - }, { "name": "NSM:Flow", "channel": "ssl.log - Certificate Analysis" @@ -14238,84 +16106,180 @@ "channel": "Packets with unusual flags or payloads outside established flows (e.g., WoL magic FF\u00d76 + 16\u00d7MAC)" }, { - "name": "WIDS:AssociationLogs", - "channel": "Unauthorized AP or anomalous MAC address connection attempts" + "name": "NSM:Flow", + "channel": "Suspicious POSTs to upload endpoints" }, { - "name": "macos:unifiedlog", - "channel": "encrypted outbound traffic carrying unexpected application data" + "name": "NSM:Flow", + "channel": "TLS/HTTP download with atypical MIME (application/octet-stream, application/x-zip, application/x-gzip) followed by local decode/write" }, { - "name": "esxcli:network", - "channel": "listening sockets bound with non-standard encapsulated protocols" + "name": "NSM:Flow", + "channel": "HTTP(S)/QUIC media download with opaque content types (image/*, audio/*, video/*) from non-gallery domains or CDNs not previously used by the app" }, { - "name": "macos:unifiedlog", - "channel": "Persistent outbound connections with consistent periodicity" + "name": "NSM:Flow", + "channel": "HTTP(S)/QUIC download of executable/opaque content (application/octet-stream, application/zip, application/java-archive, application/x-dex, application/x-sharedlib, text/javascript)" }, { - "name": "macos:unifiedlog", - "channel": "TLS connections with abnormal handshake sequence or self-signed cert" + "name": "NSM:Flow", + "channel": "burst of DNS queries/connection attempts to RFC1918 or local gateway immediately after scans" }, { - "name": "esxcli:network", - "channel": "Socket inspection showing RSA key exchange outside baseline endpoints" + "name": "NSM:Flow", + "channel": "HTTPS sessions exhibiting periodic request cadence or structured payload exchanges inconsistent with application baseline" }, { - "name": "IDS:TLSInspection", - "channel": "Malformed certs, incomplete asymmetric handshakes, or invalid CAs" + "name": "NSM:Flow", + "channel": "Application-layer indicators observable via enterprise network controls (HTTP method, URI path pattern class, TLS SNI, JA3/ALPN when available, DNS qname/type) showing anomalous or low-and-slow command polling behavior" }, { - "name": "macos:unifiedlog", - "channel": "Web server process initiating outbound TCP connections not tied to normal server traffic" + "name": "NSM:Flow", + "channel": "Near-term increase in traffic to identity endpoints associated with SMS MFA, account recovery, or OTP verification (IdP, banking, crypto), correlated to SIM/service loss" }, { - "name": "macos:unifiedlog", - "channel": "outbound TLS connections to cloud storage providers" + "name": "NSM:Flow", + "channel": "Abrupt shift from cellular egress to Wi-Fi-only egress, or new VPN/proxy session establishment following cellular service loss" + }, + { + "name": "NSM:Flow", + "channel": "Application-layer web traffic showing suspicious redirect chains, iframe/ad-tech cascades, user-agent or environment fingerprinting requests, or staged payload retrieval after page visit" + }, + { + "name": "NSM:Flow", + "channel": "Application initiates HTTPS connection with repeated certificate validation failure under enterprise proxy followed by direct network retry or stable opaque TLS communication to same endpoint within correlation window" + }, + { + "name": "NSM:Flow", + "channel": "App-destination pair shows consistent inspection bypass/refusal pattern followed by direct encrypted communication or repeated short-lived TLS sessions to same endpoint within correlation window" + }, + { + "name": "NSM:Flow", + "channel": "Application retrieves remote content from non-baselined domain or IP and the transfer direction is inbound to device during the file acquisition phase" + }, + { + "name": "NSM:Flow", + "channel": "Managed iOS app retrieves remote content from non-baselined domain or IP with inbound payload transfer during the acquisition phase" + }, + { + "name": "NSM:Flow", + "channel": "Device shows correlated inbound session establishment followed by outbound connections to separate external destinations with overlapping timing and relay-like byte symmetry" + }, + { + "name": "NSM:Flow", + "channel": "Traffic spike preceding control crash" + }, + { + "name": "NSM:Inspection", + "channel": "TLS session from mobile app fails, resets, or refuses enterprise interception while same destination/app pair repeatedly establishes direct encrypted communication pattern consistent with pinned certificate/public-key validation" + }, + { + "name": "NSM:Inspection", + "channel": "TLS handshake from iOS app repeatedly fails or is rejected only when enterprise SSL inspection certificate is presented, indicating certificate or public-key pin validation effect" }, { "name": "saas:box", "channel": "API calls exceeding baseline thresholds" }, { - "name": "macos:unifiedlog", - "channel": "outbound HTTPS connections to cloud storage APIs" + "name": "saas:confluence", + "channel": "REST API access from non-browser agents" }, { - "name": "AWS:VPCFlowLogs", - "channel": "High volume internal-to-internal IP transfer or cross-account cloud transfer" + "name": "TelecomLogs:SS7Signaling", + "channel": "Subscriber information queries, routing requests, or location update messages with anomalous node identifiers or unexpected origin patterns" }, { - "name": "etw:Microsoft-Windows-WinINet", - "channel": "WinINet API telemetry" + "name": "TelecomLogs:SS7Signaling", + "channel": "Location resolution, routing, or subscriber information exchanges with anomalous signaling paths or node identities" }, { - "name": "macos:unifiedlog", - "channel": "process, network" + "name": "VPN:MobileProxy", + "channel": "Supervised or newly activated device initiates outbound connections to destinations outside Apple, MDM, update, or enterprise-managed baselines while locked, with no recent user interaction, or before expected app enrollment completion" }, { - "name": "NSM:Connections", - "channel": "Unusual POST requests to admin or upload endpoints" + "name": "VPN:MobileProxy", + "channel": "Application or device component communicates with legitimate external web-service infrastructure such as cloud storage, social media, messaging, collaboration, paste, code-hosting, CDN-backed API, or generic HTTPS service in a pattern inconsistent with the app's approved network baseline, timing, or service class" }, { - "name": "NSM:Flow", - "channel": "Suspicious POSTs to upload endpoints" + "name": "VPN:MobileProxy", + "channel": "Supervised device or managed app communicates with legitimate external web-service infrastructure such as cloud storage, messaging, collaboration, social, paste, or generic HTTPS API platforms in a pattern inconsistent with expected service baseline, managed app role, or normal background refresh behavior" }, { - "name": "networkdevice:syslog", - "channel": "Authentication failures or unusual community string usage in SNMP queries" + "name": "VPN:MobileProxy", + "channel": "App-attributed HTTP GET or HTTPS session to public web platform (social, paste, collaboration, cloud storage, code-hosting) returned content followed by outbound connection to a different domain or IP within TimeWindow" }, { - "name": "API:ConfigRepoAudit", - "channel": "Access to configuration repository endpoints, unusual enumeration requests or mass downloads" + "name": "VPN:MobileProxy", + "channel": "DNS query or TLS SNI for previously unseen domain occurred within TimeWindow after session to legitimate web-service domain from same app identity" }, { - "name": "NSM:Content", - "channel": "Traffic on RPC DRSUAPI" + "name": "VPN:MobileProxy", + "channel": "Initial session to public web-service domain transferred small response payload followed by connection to new external endpoint with different ASN or domain category" }, { - "name": "macos:unifiedlog", - "channel": "process = 'ssh' OR eventMessage CONTAINS 'ssh'" + "name": "VPN:MobileProxy", + "channel": "App-attributed session to public web-service domain included inbound content retrieval followed by outbound POST, PUT, upload, comment, message send, document update, or API write to same service class within TimeWindow" + }, + { + "name": "VPN:MobileProxy", + "channel": "Repeated alternating inbound and outbound sessions to same public web-service domain or API endpoint occurred from same app identity with stable recurrence interval" + }, + { + "name": "VPN:MobileProxy", + "channel": "Outbound write operation to public web-service domain occurred after small inbound response retrieval from same domain or service class without preceding user-visible foreground activity" + }, + { + "name": "VPN:MobileProxy", + "channel": "App-attributed HTTP GET, content fetch, sync pull, or inbound-oriented HTTPS session to public web-service domain recurred within TimeWindow without app-attributed POST, PUT, PATCH, upload, comment, message send, or API write to same service class" + }, + { + "name": "VPN:MobileProxy", + "channel": "Repeated app-attributed retrieval from same public web-service domain or API endpoint occurred at stable recurrence interval with low outbound volume relative to inbound content" + }, + { + "name": "VPN:MobileProxy", + "channel": "Inbound content retrieval from public web-service domain occurred without subsequent writeback to same service class and was followed by local or downstream activity outside normal app sync profile" + }, + { + "name": "VPN:MobileProxy", + "channel": "TLS handshake, HTTP method/header pattern, or WebSocket upgrade was observed on destination port outside approved port set for detected protocol during app-attributed outbound session" + }, + { + "name": "VPN:MobileProxy", + "channel": "Repeated app-attributed sessions to same destination or service class used non-standard destination port with stable recurrence interval or persistent connection behavior" + }, + { + "name": "VPN:MobileProxy", + "channel": "Destination port was not in approved protocol-to-port mapping for app identity or service class and session did not match known enterprise proxy, relay, or developer tooling exception" + }, + { + "name": "VPN:MobileProxy", + "channel": "Observed protocol-to-port pairing was outside approved mapping for managed bundle or service class and did not match enterprise proxy, relay, or developer tooling exception" + }, + { + "name": "WebProxy:AccessLogs", + "channel": "SSRF-like patterns accessing metadata endpoint through proxy (e.g., Host: 169.254.169.254)" + }, + { + "name": "WIDS:AssociationLogs", + "channel": "Unauthorized AP or anomalous MAC address connection attempts" + }, + { + "name": "WinEventLog:iis", + "channel": "IIS Logs" + }, + { + "name": "WinEventLog:Microsoft-Windows-Windows Defender/Operational", + "channel": "Unusual external domain access" + }, + { + "name": "WinEventLog:Sysmon", + "channel": "Outbound requests with forged tokens/cookies in headers" + }, + { + "name": "WinEventLog:System", + "channel": "EventCode=5005 (WLAN), EventCode=302 (Bluetooth)" } ] }, @@ -14494,17 +16458,16 @@ "external_references": [ { "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datacomponents/DC0032", + "url": "https://attack.mitre.org/data-components/DC0032", "external_id": "DC0032" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-13T15:49:16.424Z", "name": "Process Creation", "description": "Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts.. ", - "x_mitre_data_source_ref": "", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ @@ -14512,7 +16475,7 @@ "mobile-attack", "enterprise-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { @@ -15794,6 +17757,58 @@ { "name": "macos:unifiedlog", "channel": "security OR injection attempts into 1Password OR LastPass" + }, + { + "name": "AndroidLogs:Kernel", + "channel": "init or zygote process executing scripts or binaries from non-standard data or sdcard locations during early boot" + }, + { + "name": "iOS:unifiedlog", + "channel": "launchd invocation of binary from non-Apple, non-AppStore, or sideloaded location during boot or shortly after unlock" + }, + { + "name": "AndroidLogs:Framework", + "channel": "Creation of a new process running as system or root UID whose executable path resides under an app container path (for example, /data/app or /data/user/0/), or whose parent process originates from an app sandbox" + }, + { + "name": "iOS:unifiedlog", + "channel": "Creation of a new process with elevated UID or sensitive entitlements whose binary path is associated with an app container or whose parent/caller is a low-privileged app/webcontent process" + }, + { + "name": "android:logcat", + "channel": "dlopen of a recently created .so OR short-lived child (/system/bin/sh,toybox,linker) spawned by app_process" + }, + { + "name": "android:logcat", + "channel": "startActivity on top of (launchMode/singleTop), task switch immediately after focus" + }, + { + "name": "android:logcat", + "channel": "unexpected spikes in fork/exec/app process start events for helper utilities used for enumeration (ps, toybox/toolbox variants) from same UID" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application writes audio buffer or recorded audio file into application storage directories" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Browser or WebView-hosting application brought to foreground and navigates to external content, followed by abnormal state transition, crash, restart, or process spawn behavior" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application installed from adb, sideload, or unknown USB source" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application invokes Runtime.exec, ProcessBuilder, JNI-backed command launcher, or equivalent command-execution bridge immediately before shell or command process creation" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Managed app invokes lower-level OS process-launch or command-execution behavior before file or network effects, including interpreter-like execution flow where visible to sensor" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application execution triggered with unexpected parent context or via indirect invocation (intent redirection or component hijack)" } ] }, @@ -15920,6 +17935,7 @@ "id": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", "created": "2022-05-11T16:22:58.802Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -15930,7 +17946,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T15:10:28.402Z", + "modified": "2026-04-22T15:07:16.930Z", "name": "Process/Event Alarm", "description": "This includes a list of any process alarms or alerts produced to indicate unusual or concerning activity within the operational process (e.g., increased temperature/pressure)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -15938,9 +17954,13 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ + { + "name": "Databases", + "channel": "None" + }, { "name": "Operational Databases", "channel": "None" @@ -15966,7 +17986,6 @@ "modified": "2025-11-12T22:03:39.105Z", "name": "Drive Modification", "description": "The alteration of a drive letter, mount point, or other attributes of a data storage device, which could involve reassignment, renaming, permissions changes, or other modifications. Examples: \n\n- Drive Letter Reassignment: A USB drive previously assigned `E:\\` is reassigned to `D:\\` on a Windows machine.\n- Mount Point Change: On a Linux system, a mounted storage device at `/mnt/external` is moved to `/mnt/storage`.\n- Drive Permission Changes: A shared drive's permissions are modified to allow write access for unauthorized users or processes.\n- Renaming of a Drive: A network drive labeled \"HR_Share\" is renamed to \"Shared_Resources.\"\n- Modification of Cloud-Integrated Drives: A cloud storage mount such as Google Drive is modified to sync only specific folders.\n\nThis data component can be collected through the following measures:\n\nWindows Event Logs\n\n- Relevant Events:\n - Event ID 98: Indicates changes to a volume (e.g., drive letter reassignment).\n - Event ID 1006: Logs permission modifications or changes to removable storage.\n- Configuration: Enable \"Storage Operational Logs\" in the Event Viewer:\n`Applications and Services Logs > Microsoft > Windows > Storage-Tiering > Operational`\n\nLinux System Logs\n\n- Auditd Configuration: Add audit rules to track changes to mounted drives: `auditctl -w /mnt/ -p w -k drive_modification`\n- Command-Line Monitoring: Use `dmesg` or `journalctl` to observe drive modifications.\n\nmacOS System Logs\n\n- Unified Logs: Collect mount or drive modification events: `log show --info | grep \"Volume modified\"`\n- Command-Line Monitoring: Use `diskutil` to track changes:\n\nEndpoint Detection and Response (EDR) Tools\n\n- Configure policies in EDR solutions to monitor and log changes to drive configurations or attributes.\n\nSIEM Tools\n\n- Aggregate logs from multiple systems into a centralized platform like Splunk to correlate events and alert on suspicious drive modification activities.\n", - "x_mitre_data_source_ref": "", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ @@ -16207,38 +18226,235 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-23T18:33:47.956Z", "name": "File Metadata", "description": "contextual information about a file, including attributes such as the file's name, size, type, content (e.g., signatures, headers, media), user/owner, permissions, timestamps, and other related properties. File metadata provides insights into a file's characteristics and can be used to detect malicious activity, unauthorized modifications, or other anomalies. Examples: \n\n- File Ownership and Permissions: Checking the owner and permissions of a critical configuration file like /etc/passwd on Linux or C:\\Windows\\System32\\config\\SAM on Windows.\n- Timestamps: Analyzing the creation, modification, and access timestamps of a file.\n- File Content and Signatures: Extracting the headers of an executable file to verify its signature or detect packing/obfuscation.\n- File Attributes: Analyzing attributes like hidden, system, or read-only flags in Windows.\n- File Hashes: Generating MD5, SHA-1, or SHA-256 hashes of files to compare against threat intelligence feeds.\n- File Location: Monitoring files located in unusual directories or paths, such as temporary or user folders.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", - "enterprise-attack" + "enterprise-attack", + "mobile-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ + { + "name": "auditd:SYSCALL", + "channel": "stat and lstat syscall results on files, including inode and permission info" + }, + { + "name": "AndroidLogs:Framework", + "channel": "BroadcastReceiver registration for android.intent.action.BOOT_COMPLETED by previously unseen or recently installed apps" + }, + { + "name": "auditd:CONFIG_CHANGE", + "channel": "chmod or chown of hook files indicating privilege escalation or execution permission change" + }, + { + "name": "auditd:PATH", + "channel": "file path matches exclusion directories" + }, + { + "name": "auditd:PATH", + "channel": "PATH" + }, + { + "name": "auditd:PATH", + "channel": "file path modifications on critical system directories (/etc, /usr/bin, /usr/sbin, /var, /opt)" + }, + { + "name": "auditd:SYSCALL", + "channel": "Inotify watch creation or auditctl changes on /etc/cron* or /lib/systemd/system/" + }, + { + "name": "auditd:SYSCALL", + "channel": "PATH" + }, + { + "name": "auditd:SYSCALL", + "channel": "file write after sleep delay" + }, + { + "name": "auditd:SYSCALL", + "channel": "syscall in (chmod, fchmod, fchmodat, chown, fchown, fchownat, setxattr, lsetxattr, fsetxattr)" + }, + { + "name": "auditd:SYSCALL", + "channel": "setuid or setgid bit changes" + }, + { + "name": "auditd:SYSCALL", + "channel": "syscall in (chmod, fchmod, fchmodat, chown, fchown, fchownat, lchown, setxattr, lsetxattr, fsetxattr, removexattr, lremovexattr, fremovexattr)" + }, + { + "name": "auditd:SYSCALL", + "channel": "setxattr or getxattr system call" + }, + { + "name": "auditd:SYSCALL", + "channel": "chmod, chown, setxattr, or file writes to /etc/ssl/* or /usr/local/share/ca-certificates/*" + }, + { + "name": "ebpf:syscalls", + "channel": "Unexpected container volume unmount + file deletion" + }, + { + "name": "EDR:detection", + "channel": "App reputation telemetry" + }, + { + "name": "EDR:file", + "channel": "File Metadata Inspection (Low String Entropy, Missing PDB)" + }, + { + "name": "EDR:file", + "channel": "File Metadata Analysis (PE overlays, entropy)" + }, + { + "name": "esxi:hostd", + "channel": "host daemon events related to file or VM permission changes" + }, + { + "name": "esxi:syslog", + "channel": "Datastore file hidden or renamed unexpectedly" + }, + { + "name": "esxi:vmkernel", + "channel": "Upload of file to datastore" + }, + { + "name": "esxi:vmkernel", + "channel": "Storage access and file ops" + }, + { + "name": "esxi:vmkernel", + "channel": "VMware kernel events for file system permission modifications" + }, + { + "name": "esxi:vmkernel", + "channel": "Datastore modification events" + }, { "name": "File", "channel": "None" }, { - "name": "linux:osquery", - "channel": "event-based" + "name": "fs:fileevents", + "channel": "/var/log/install.log" }, { - "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational", - "channel": "Invalid/Unsigned image when developer tool launches newly installed binaries" + "name": "fs:filesystem", + "channel": "Binary file hash changes outside of update/patch cycles" + }, + { + "name": "fs:fsevents", + "channel": "file system events indicating permission or attribute changes" + }, + { + "name": "fs:fsusage", + "channel": "filesystem monitoring of exec/open" + }, + { + "name": "fwupd:logs", + "channel": "Firmware updates applied or failed" + }, + { + "name": "gatekeeper/quarantine database", + "channel": "LaunchServices quarantine" }, { "name": "journald:package", "channel": "dpkg/apt or yum/dnf transaction logs (install/update of build tools)" }, + { + "name": "journald:package", + "channel": "dpkg/apt/yum/dnf transaction logs; vendor updaters in systemd journals" + }, + { + "name": "journald:package", + "channel": "dpkg/apt install, remove, upgrade events" + }, + { + "name": "journald:package", + "channel": "yum/dnf install or update transactions" + }, + { + "name": "linux:osquery", + "channel": "event-based" + }, { "name": "linux:osquery", "channel": "file_events, hash" }, + { + "name": "linux:osquery", + "channel": "hash, elf_info, file_metadata" + }, + { + "name": "linux:osquery", + "channel": "file_events" + }, + { + "name": "linux:osquery", + "channel": "elf_info, hash, yara_matches" + }, + { + "name": "linux:osquery", + "channel": "Read headers and detect MIME type mismatch" + }, + { + "name": "linux:osquery", + "channel": "file_events.path" + }, + { + "name": "linux:osquery", + "channel": "Filesystem modifications to trusted paths" + }, + { + "name": "linux:osquery", + "channel": "Write or modify .desktop file in XDG autostart path" + }, + { + "name": "linux:osquery", + "channel": "hash, rpm_packages, deb_packages, file_events" + }, + { + "name": "linux:syslog", + "channel": "Discrepancies in _VBA_PROJECT p-code vs source code extracted with oletools/pcodedmp" + }, + { + "name": "linux:syslog", + "channel": "application or system execution logs" + }, + { + "name": "linux:syslog", + "channel": "file permission modification events in kernel messages" + }, + { + "name": "linux:syslog", + "channel": "kernel messages related to file system permission changes and security violations" + }, + { + "name": "macos:endpointsecurity", + "channel": "es_event_file_rename_t or es_event_file_write_t" + }, + { + "name": "macos:endpointsecurity", + "channel": "es_event_authentication" + }, + { + "name": "macos:osquery", + "channel": "code_signing, file_metadata" + }, + { + "name": "macos:osquery", + "channel": "file_events" + }, + { + "name": "macos:osquery", + "channel": "mach_o_info, file_metadata" + }, { "name": "macos:unifiedlog", "channel": "softwareupdated/homebrew/install logs, pkginstalld events" @@ -16247,34 +18463,10 @@ "name": "macos:unifiedlog", "channel": "AMFI or Gatekeeper signature/notarization failures for newly installed dev components" }, - { - "name": "auditd:SYSCALL", - "channel": "Inotify watch creation or auditctl changes on /etc/cron* or /lib/systemd/system/" - }, - { - "name": "linux:syslog", - "channel": "Discrepancies in _VBA_PROJECT p-code vs source code extracted with oletools/pcodedmp" - }, { "name": "macos:unifiedlog", "channel": "Detection of altered _VBA_PROJECT or PerformanceCache streams" }, - { - "name": "EDR:file", - "channel": "File Metadata Inspection (Low String Entropy, Missing PDB)" - }, - { - "name": "linux:osquery", - "channel": "hash, elf_info, file_metadata" - }, - { - "name": "macos:osquery", - "channel": "code_signing, file_metadata" - }, - { - "name": "WinEventLog:Windows Defender", - "channel": "Operational log" - }, { "name": "macos:unifiedlog", "channel": "subsystem:syspolicyd" @@ -16283,94 +18475,18 @@ "name": "macos:unifiedlog", "channel": "File metadata updated with UF_HIDDEN flag" }, - { - "name": "WinEventLog:Sysmon", - "channel": "EventCode=15" - }, - { - "name": "auditd:PATH", - "channel": "file path matches exclusion directories" - }, - { - "name": "auditd:SYSCALL", - "channel": "PATH" - }, - { - "name": "auditd:PATH", - "channel": "PATH" - }, - { - "name": "macos:endpointsecurity", - "channel": "es_event_file_rename_t or es_event_file_write_t" - }, - { - "name": "linux:osquery", - "channel": "file_events" - }, - { - "name": "fs:fileevents", - "channel": "/var/log/install.log" - }, - { - "name": "auditd:SYSCALL", - "channel": "file write after sleep delay" - }, - { - "name": "esxi:vmkernel", - "channel": "Upload of file to datastore" - }, - { - "name": "ebpf:syscalls", - "channel": "Unexpected container volume unmount + file deletion" - }, - { - "name": "macos:osquery", - "channel": "file_events" - }, - { - "name": "EDR:file", - "channel": "File Metadata Analysis (PE overlays, entropy)" - }, - { - "name": "linux:osquery", - "channel": "elf_info, hash, yara_matches" - }, - { - "name": "macos:osquery", - "channel": "mach_o_info, file_metadata" - }, { "name": "macos:unifiedlog", "channel": "Code signature validation fails or is absent post-binary modification" }, - { - "name": "fs:filesystem", - "channel": "Binary file hash changes outside of update/patch cycles" - }, - { - "name": "linux:osquery", - "channel": "Read headers and detect MIME type mismatch" - }, { "name": "macos:unifiedlog", "channel": "Code signing verification failures or bypassed trust decisions" }, - { - "name": "NSM:Flow", - "channel": "Observed File Transfers" - }, - { - "name": "esxi:vmkernel", - "channel": "Storage access and file ops" - }, { "name": "macos:unifiedlog", "channel": "Creation of new LaunchAgent or LoginItem plist files in ~/Library/LaunchAgents/" }, - { - "name": "auditd:CONFIG_CHANGE", - "channel": "chmod or chown of hook files indicating privilege escalation or execution permission change" - }, { "name": "macos:unifiedlog", "channel": "filesystem events" @@ -16383,46 +18499,6 @@ "name": "macos:unifiedlog", "channel": "Gatekeeper quarantine policy decision anomalies recorded in com.apple.LaunchServices.QuarantineEventsV2" }, - { - "name": "linux:syslog", - "channel": "application or system execution logs" - }, - { - "name": "WinEventLog:Security", - "channel": "EventCode=4663, 4670, 4656" - }, - { - "name": "auditd:SYSCALL", - "channel": "syscall in (chmod, fchmod, fchmodat, chown, fchown, fchownat, setxattr, lsetxattr, fsetxattr)" - }, - { - "name": "linux:syslog", - "channel": "file permission modification events in kernel messages" - }, - { - "name": "fs:fsevents", - "channel": "file system events indicating permission or attribute changes" - }, - { - "name": "OpenBSM:AuditTrail", - "channel": "BSM audit events for file permission modifications" - }, - { - "name": "esxi:hostd", - "channel": "host daemon events related to file or VM permission changes" - }, - { - "name": "esxi:vmkernel", - "channel": "VMware kernel events for file system permission modifications" - }, - { - "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational", - "channel": "Unsigned or invalid image for newly installed/updated binaries" - }, - { - "name": "journald:package", - "channel": "dpkg/apt/yum/dnf transaction logs; vendor updaters in systemd journals" - }, { "name": "macos:unifiedlog", "channel": "pkginstalld/softwareupdated/Homebrew install transactions" @@ -16431,134 +18507,26 @@ "name": "macos:unifiedlog", "channel": "AMFI/Gatekeeper code signature or notarization failures" }, - { - "name": "EDR:detection", - "channel": "App reputation telemetry" - }, - { - "name": "gatekeeper/quarantine database", - "channel": "LaunchServices quarantine" - }, - { - "name": "linux:osquery", - "channel": "file_events.path" - }, - { - "name": "auditd:SYSCALL", - "channel": "setuid or setgid bit changes" - }, - { - "name": "linux:osquery", - "channel": "Filesystem modifications to trusted paths" - }, - { - "name": "fs:fsusage", - "channel": "filesystem monitoring of exec/open" - }, - { - "name": "auditd:SYSCALL", - "channel": "syscall in (chmod, fchmod, fchmodat, chown, fchown, fchownat, lchown, setxattr, lsetxattr, fsetxattr, removexattr, lremovexattr, fremovexattr)" - }, - { - "name": "auditd:PATH", - "channel": "file path modifications on critical system directories (/etc, /usr/bin, /usr/sbin, /var, /opt)" - }, - { - "name": "linux:syslog", - "channel": "kernel messages related to file system permission changes and security violations" - }, - { - "name": "OpenBSM:AuditTrail", - "channel": "BSM audit events for file permission, ownership, and attribute modifications with user context" - }, { "name": "macos:unifiedlog", "channel": "kernel extension and system extension logs related to file system security violations or SIP bypass attempts" }, - { - "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational", - "channel": "Code integrity violations in boot-start drivers or firmware" - }, - { - "name": "fwupd:logs", - "channel": "Firmware updates applied or failed" - }, - { - "name": "macos:endpointsecurity", - "channel": "es_event_authentication" - }, - { - "name": "esxi:vmkernel", - "channel": "Datastore modification events" - }, - { - "name": "linux:osquery", - "channel": "Write or modify .desktop file in XDG autostart path" - }, { "name": "macos:unifiedlog", "channel": "Unexpected application binary modifications or altered signing status" }, - { - "name": "auditd:SYSCALL", - "channel": "setxattr or getxattr system call" - }, { "name": "macos:unifiedlog", "channel": "extended attribute write or modification" }, - { - "name": "WinEventLog:Security", - "channel": "EventCode=4663, 4656, 4658" - }, - { - "name": "auditd:SYSCALL", - "channel": "chmod, chown, setxattr, or file writes to /etc/ssl/* or /usr/local/share/ca-certificates/*" - }, { "name": "macos:unifiedlog", "channel": "New certificate trust settings added by unexpected process" }, - { - "name": "esxi:syslog", - "channel": "Datastore file hidden or renamed unexpectedly" - }, - { - "name": "WinEventLog:Windows Defender", - "channel": "Operational" - }, { "name": "macos:unifiedlog", "channel": "subsystem=com.apple.lsd" }, - { - "name": "saas:RepoEvents", - "channel": "New file added or modified in PR targeting CI/CD or build config (e.g., `gitlab-ci.yml`, `build.gradle`, `pom.xml`, `.github/workflows/*.yml`)" - }, - { - "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational", - "channel": "CodeIntegrity reports 'Invalid image hash' or 'Unsigned image' for new/updated binaries" - }, - { - "name": "WinEventLog:Microsoft-Windows-Windows Defender/Operational", - "channel": "SmartScreen or ASR blocks on newly downloaded installer/updater" - }, - { - "name": "WinEventLog:Setup", - "channel": "MSI/Product install, repair or update events" - }, - { - "name": "journald:package", - "channel": "dpkg/apt install, remove, upgrade events" - }, - { - "name": "journald:package", - "channel": "yum/dnf install or update transactions" - }, - { - "name": "linux:osquery", - "channel": "hash, rpm_packages, deb_packages, file_events" - }, { "name": "macos:unifiedlog", "channel": "installer or system_installd 'PackageKit: install succeeded/failed' with non-notarized or unknown signer" @@ -16567,13 +18535,73 @@ "name": "macos:unifiedlog", "channel": "Gatekeeper/AMFI 'code signature invalid' / 'not notarized' messages" }, + { + "name": "macos:unifiedlog", + "channel": "File creation or modification with com.apple.ResourceFork extended attribute" + }, { "name": "networkdevice:syslog", "channel": "OS version query results inconsistent with expected or approved version list" }, { - "name": "macos:unifiedlog", - "channel": "File creation or modification with com.apple.ResourceFork extended attribute" + "name": "NSM:Flow", + "channel": "Observed File Transfers" + }, + { + "name": "OpenBSM:AuditTrail", + "channel": "BSM audit events for file permission modifications" + }, + { + "name": "OpenBSM:AuditTrail", + "channel": "BSM audit events for file permission, ownership, and attribute modifications with user context" + }, + { + "name": "saas:RepoEvents", + "channel": "New file added or modified in PR targeting CI/CD or build config (e.g., `gitlab-ci.yml`, `build.gradle`, `pom.xml`, `.github/workflows/*.yml`)" + }, + { + "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational", + "channel": "Invalid/Unsigned image when developer tool launches newly installed binaries" + }, + { + "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational", + "channel": "Unsigned or invalid image for newly installed/updated binaries" + }, + { + "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational", + "channel": "Code integrity violations in boot-start drivers or firmware" + }, + { + "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational", + "channel": "CodeIntegrity reports 'Invalid image hash' or 'Unsigned image' for new/updated binaries" + }, + { + "name": "WinEventLog:Microsoft-Windows-Windows Defender/Operational", + "channel": "SmartScreen or ASR blocks on newly downloaded installer/updater" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=4663, 4670, 4656" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=4663, 4656, 4658" + }, + { + "name": "WinEventLog:Setup", + "channel": "MSI/Product install, repair or update events" + }, + { + "name": "WinEventLog:Sysmon", + "channel": "EventCode=15" + }, + { + "name": "WinEventLog:Windows Defender", + "channel": "Operational log" + }, + { + "name": "WinEventLog:Windows Defender", + "channel": "Operational" } ] }, @@ -16593,7 +18621,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-20T18:21:23.994Z", "name": "Service Modification", "description": "Changes made to an existing service or daemon, such as modifying the service name, start type, execution parameters, or security configurations.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -16602,9 +18630,13 @@ "ics-attack", "enterprise-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ + { + "name": "esxi:hostd", + "channel": "service state change" + }, { "name": "Service", "channel": "None" @@ -16635,7 +18667,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-24T19:47:16.123Z", "name": "Command Execution", "description": "Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples: \n\n- Windows Command Prompt\n - dir \u2013 Lists directory contents.\n - net user \u2013 Queries or manipulates user accounts.\n - tasklist \u2013 Lists running processes.\n- PowerShell\n - Get-Process \u2013 Retrieves processes running on a system.\n - Set-ExecutionPolicy \u2013 Changes PowerShell script execution policies.\n - Invoke-WebRequest \u2013 Downloads remote resources.\n- Linux Shell\n - ls \u2013 Lists files in a directory.\n - cat /etc/passwd \u2013 Reads the user accounts file.\n - curl http://malicious-site.com \u2013 Retrieves content from a malicious URL.\n- Container Environments\n - docker exec \u2013 Executes a command inside a running container.\n - kubectl exec \u2013 Runs commands in Kubernetes pods.\n- macOS Terminal\n - open \u2013 Opens files or URLs.\n - dscl . -list /Users \u2013 Lists all users on the system.\n - osascript -e \u2013 Executes AppleScript commands.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -16645,64 +18677,712 @@ "mobile-attack", "enterprise-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { - "name": "Command", - "channel": "None" + "name": "android:logcat", + "channel": "Command 'pm list packages' executed by app sandbox or child proc" + }, + { + "name": "auditd:CONFIG_CHANGE", + "channel": "udev rule reload or trigger command executed" + }, + { + "name": "auditd:EXECVE", + "channel": "execve of script/interpreter (bash, python, node) with suspicious encoded or non-printable content" + }, + { + "name": "auditd:EXECVE", + "channel": "Use of mv or cp to rename files with '.' prefix" + }, + { + "name": "auditd:EXECVE", + "channel": "execve: Execution of update-ca-certificates or trust anchor modification commands" + }, + { + "name": "auditd:EXECVE", + "channel": "gcore, gdb, strings, hexdump execution" + }, + { + "name": "auditd:EXECVE", + "channel": "Execution of auditctl, systemctl stop auditd, or kill -9 auditd" + }, + { + "name": "auditd:EXECVE", + "channel": "execution of systemctl with subcommands start, stop, enable, disable" + }, + { + "name": "auditd:EXECVE", + "channel": "Execution of GUI-related binaries with suppressed window/display flags" + }, + { + "name": "auditd:EXECVE", + "channel": "curl -X POST, wget --post-data" + }, + { + "name": "auditd:EXECVE", + "channel": "command line arguments containing lsblk, fdisk, parted" + }, + { + "name": "auditd:EXECVE", + "channel": "exec: Execution of dd, efibootmgr, or flashrom modifying firmware/boot partitions" + }, + { + "name": "auditd:EXECVE", + "channel": "curl -d, wget --post-data" + }, + { + "name": "auditd:EXECVE", + "channel": "grep/cat/awk on files with password fields" + }, + { + "name": "auditd:EXECVE", + "channel": "git push, curl -X POST" + }, + { + "name": "auditd:EXECVE", + "channel": "Execution of gsettings set org.gnome.login-screen disable-user-list true" + }, + { + "name": "auditd:EXECVE", + "channel": "execution of setfattr or getfattr commands" + }, + { + "name": "auditd:EXECVE", + "channel": "Process execution of update-ca-certificates or openssl with suspicious arguments" + }, + { + "name": "auditd:EXECVE", + "channel": "Execution of chattr to set +i or +a attributes" + }, + { + "name": "auditd:EXECVE", + "channel": "curl or wget with POST/PUT options" + }, + { + "name": "auditd:EXECVE", + "channel": "curl -T, rclone copy" + }, + { + "name": "auditd:EXECVE", + "channel": "execve of curl,wget,bash,sh,python with piped or remote content" + }, + { + "name": "auditd:EXECVE", + "channel": "execve, kill, ptrace, insmod, rmmod targeting security processes" + }, + { + "name": "auditd:PROCTITLE", + "channel": "proctitle contains chmod, chown, setfacl, or attr commands with suspicious parameters" + }, + { + "name": "auditd:PROCTITLE", + "channel": "proctitle contains chmod, chown, chgrp, setfacl, or attr with suspicious parameters (777, 755, +x, -R)" + }, + { + "name": "auditd:PROCTITLE", + "channel": "process title records containing discovery command sequences and environmental assessment patterns" + }, + { + "name": "auditd:PROCTITLE", + "channel": "command-line execution patterns for system discovery utilities (uname, hostname, ifconfig, netstat, lsof, ps, mount)" }, { "name": "auditd:SYSCALL", "channel": "execution of realmd, samba-tool, or ldapmodify with user-related arguments" }, { - "name": "macos:unifiedlog", - "channel": "dsconfigad or dscl with create or append options for AD-bound users" + "name": "auditd:SYSCALL", + "channel": "Execution of script interpreters by systemd timer (ExecStart)" }, { - "name": "EDR:AMSI", - "channel": "None" + "name": "auditd:SYSCALL", + "channel": "execve: Commands like systemctl stop , service stop, or kill -9 " }, { - "name": "linux:syslog", - "channel": "cron activity" + "name": "auditd:SYSCALL", + "channel": "execve calls to locale, timedatectl, or cat /etc/timezone" }, { - "name": "WinEventLog:PowerShell", - "channel": "Get-ADTrust|GetAllTrustRelationships" + "name": "auditd:SYSCALL", + "channel": "sleep function usage or loops (nanosleep, usleep) in scripts" }, { - "name": "gcp:audit", + "name": "auditd:SYSCALL", + "channel": "connect, execve, write" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve call including 'nohup' or trailing '&'" + }, + { + "name": "auditd:SYSCALL", "channel": "None" }, { "name": "auditd:SYSCALL", - "channel": "Execution of script interpreters by systemd timer (ExecStart)" + "channel": "execve: Commands executed within an SSH session where no matching logon/authentication event exists" + }, + { + "name": "auditd:SYSCALL", + "channel": "chmod, execve" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: iptables, nft, firewall-cmd modifications" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: Invocation of scp, rsync, curl, or sftp" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve calls modifying local mail filter configuration files" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: process_name IN (\"virsh\", \"VBoxManage\", \"qemu-img\") AND command IN (\"list\", \"info\")" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: service stop syslog, systemctl stop rsyslog, kill -9 syslog" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: openssl pkcs12, certutil, keytool" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: Process in container namespace executes curl|wget|bash|sh|python|nc with outbound args" + }, + { + "name": "auditd:SYSCALL", + "channel": "execution of systemctl or service with enable/start parameters" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: Execution of cat, less, grep, journalctl targeting log directories (/var/log/)" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: Execution of python, perl, or custom binaries invoking compression libraries" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve, USER_CMD" + }, + { + "name": "auditd:SYSCALL", + "channel": "bash/zsh of base64, tar, gzip, or openssl immediately after file write" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: Processes executing sendmail/postfix with forged headers" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: Execution of tar, gzip, bzip2, xz, zip, or openssl with compression/encryption arguments" + }, + { + "name": "auditd:SYSCALL", + "channel": "promiscuous mode transitions (ioctl or ifconfig)" + }, + { + "name": "auditd:SYSCALL", + "channel": "chattr, rm, shred, dd run on recovery directories or partitions" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: Execution of curl or wget writing files to /tmp/* followed by chmod or execution" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: Execution of downgraded interpreters such as python2 or forced fallback commands" + }, + { + "name": "auditd:SYSCALL", + "channel": "Command line arguments including SPApplicationsDataType" + }, + { + "name": "auditd:SYSCALL", + "channel": "Execution of spoofing tools (e.g., hping3, nping, scapy) sending UDP packets to known amplifier ports" + }, + { + "name": "auditd:SYSCALL", + "channel": "execution of tools like cat, grep, or awk on credential files" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve of curl, rsync, wget with internal knowledge base or IPs" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: Execution of systemctl, loginctl, or systemd-inhibit commands related to sleep/hibernate" + }, + { + "name": "auditd:SYSCALL", + "channel": "Execution of xev, xdotool, or input activity emulators" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: Execution of interpreters creating archive-like outputs without calling tar/gzip" + }, + { + "name": "auditd:SYSCALL", + "channel": "Execution of insmod, modprobe, or rmmod commands by non-standard users or outside expected timeframes" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve syscalls for discovery commands (uname, hostname, id, whoami, ps, netstat, mount) with command-line parameter analysis" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: Execution of curl, wget, or custom scripts accessing financial endpoints" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: Execution of tar, gzip, bzip2, or openssl with output redirection" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve=/sbin/shutdown or /sbin/reboot" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve calls modifying HISTFILE or HISTCONTROL via unset/export" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve calls to /usr/bin/locale or shell execution of $LANG" + }, + { + "name": "auditd:SYSCALL", + "channel": "execution of systemctl or service with enable/start/modify" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: Execution of lsmod, modinfo, or cat /proc/modules" + }, + { + "name": "auditd:USER_CMD", + "channel": "USER_CMD" }, { "name": "AWS:CloudTrail", "channel": "InvokeFunction" }, { - "name": "m365:unified", - "channel": "Automated forwarding or file sync initiated by a logic app" + "name": "AWS:CloudTrail", + "channel": "eventName: RunInstances, CreateUser, PutRolePolicy, InvokeCommand" }, { - "name": "WinEventLog:PowerShell", - "channel": "EventCode=4103, 4104, 4105, 4106" + "name": "AWS:CloudTrail", + "channel": "SSM RunCommand" }, { - "name": "linux:syslog", - "channel": "Suspicious script or command execution targeting browser folders" + "name": "AWS:CloudTrail", + "channel": "GetLogEvents: High frequency log exports from CloudWatch or equivalent services" + }, + { + "name": "AWS:CloudTrail", + "channel": "command-line execution invoking credential enumeration" + }, + { + "name": "AWS:CloudTrail", + "channel": "ssm:GetCommandInvocation" + }, + { + "name": "AWS:CloudTrail", + "channel": "SendCommand, StartSession, ExecuteCommand: Unexpected AWS Systems Manager command execution targeting EC2 instances" + }, + { + "name": "azure:activity", + "channel": "Intune PowerShell Scripts" + }, + { + "name": "azure:signinlogs", + "channel": "OperationName=SetDomainAuthentication OR Update-MsolFederatedDomain" + }, + { + "name": "Command", + "channel": "None" + }, + { + "name": "docker:api", + "channel": "docker logs access or container inspect commands from non-administrative users" + }, + { + "name": "docker:daemon", + "channel": "docker exec or docker run with unexpected command/entrypoint" + }, + { + "name": "docker:events", + "channel": "container exec rm|container stop --force" + }, + { + "name": "ebpf:syscalls", + "channel": "useradd or /etc/passwd modified inside container" + }, + { + "name": "EDR:AMSI", + "channel": "None" + }, + { + "name": "EDR:cli", + "channel": "Command Line Telemetry" + }, + { + "name": "esxi:hostd", + "channel": "command execution" + }, + { + "name": "esxi:hostd", + "channel": "/var/log/hostd.log" + }, + { + "name": "esxi:hostd", + "channel": "modification of config files or shell command execution" + }, + { + "name": "esxi:hostd", + "channel": "shell access or job registration" + }, + { + "name": "esxi:hostd", + "channel": "logline inspection" + }, + { + "name": "esxi:hostd", + "channel": "esxcli network firewall set commands" + }, + { + "name": "esxi:hostd", + "channel": "event stream" + }, + { + "name": "esxi:hostd", + "channel": "scp/ssh used to move file across hosts" + }, + { + "name": "esxi:hostd", + "channel": "None" + }, + { + "name": "esxi:hostd", + "channel": "esxcli system syslog config set or reload" + }, + { + "name": "esxi:hostd", + "channel": "command log" + }, + { + "name": "esxi:hostd", + "channel": "Execution of '/bin/vmx' or modifications to '/etc/rc.local.d/local.sh'" + }, + { + "name": "esxi:hostd", + "channel": "Command Execution" + }, + { + "name": "esxi:hostd", + "channel": "remote CLI + vim-cmd logging" + }, + { + "name": "esxi:hostd", + "channel": "execution + payload hints" + }, + { + "name": "esxi:shell", + "channel": "esxcli system syslog config set/reload, services.sh restart/stop" }, { "name": "esxi:shell", "channel": "snapshot create/copy, esxcli" }, { - "name": "auditd:SYSCALL", - "channel": "execve: Commands like systemctl stop , service stop, or kill -9 " + "name": "esxi:shell", + "channel": "interactive shell" + }, + { + "name": "esxi:shell", + "channel": "/var/log/shell.log" + }, + { + "name": "esxi:shell", + "channel": "invoked remote scripts (esxcli)" + }, + { + "name": "esxi:shell", + "channel": "base64 or gzip use within shell session" + }, + { + "name": "esxi:shell", + "channel": "scripts or binaries with misleading names" + }, + { + "name": "esxi:shell", + "channel": "/var/log/shell.log entries containing \"esxcli system clock get\"" + }, + { + "name": "esxi:shell", + "channel": "None" + }, + { + "name": "esxi:shell", + "channel": "command IN (\"esxcli vm process list\", \"vim-cmd vmsvc/getallvms\")" + }, + { + "name": "esxi:shell", + "channel": "openssl|tar|dd" + }, + { + "name": "esxi:shell", + "channel": "Execution of cat, tail, grep targeting /var/log/vmkernel.log or /var/log/hostd.log" + }, + { + "name": "esxi:shell", + "channel": "CLI usage logs" + }, + { + "name": "esxi:shell", + "channel": "Command execution trace" + }, + { + "name": "esxi:shell", + "channel": "shell command execution for chmod, chown, or file permission modification on VMFS or system files" + }, + { + "name": "esxi:shell", + "channel": "esxcli system syslog config set --loghost='' or stopping hostd service" + }, + { + "name": "esxi:shell", + "channel": "Shell Access/Command Execution" + }, + { + "name": "esxi:shell", + "channel": "esxcli software vib list" + }, + { + "name": "esxi:shell", + "channel": "/root/.ash_history" + }, + { + "name": "esxi:shell", + "channel": "mv, rename, or chmod commands moving VM files into hidden directories" + }, + { + "name": "esxi:shell", + "channel": "`esxcli software vib install` with `--force` or `--no-sig-check` from shell history or `shell.log`" + }, + { + "name": "esxi:shell", + "channel": "CLI session activity" + }, + { + "name": "esxi:shell", + "channel": "esxcli system shutdown or reboot invoked" + }, + { + "name": "esxi:shell", + "channel": "shell command execution for system discovery (vim-cmd, esxcli, vmware-cmd) targeting VM inventory and host configuration" + }, + { + "name": "esxi:shell", + "channel": "unset HISTFILE or HISTFILESIZE modifications" + }, + { + "name": "esxi:syslog", + "channel": "boot logs" + }, + { + "name": "esxi:vmkernel", + "channel": "/var/log/vmkernel.log" + }, + { + "name": "esxi:vmkernel", + "channel": "DCUI shell start, BusyBox activity" + }, + { + "name": "esxi:vmkernel", + "channel": "esxcli system account add" + }, + { + "name": "esxi:vmkernel", + "channel": "Unexpected restarts of management agents or shell access" + }, + { + "name": "esxi:vmkernel", + "channel": "esxcli, vim-cmd invocation" + }, + { + "name": "esxi:vobd", + "channel": "shell session start" + }, + { + "name": "esxi:vpxd", + "channel": "vCenter Management" + }, + { + "name": "fs:fsusage", + "channel": "file system activity monitor" + }, + { + "name": "fs:fsusage", + "channel": "access to BPF devices or interface IOCTLs" + }, + { + "name": "gcp:audit", + "channel": "None" + }, + { + "name": "gcp:audit", + "channel": "methodName: setIamPolicy, startInstance, createServiceAccount" + }, + { + "name": "kubernetes:audit", + "channel": "Shell process (e.g., /bin/sh, /bin/bash) spawned in a container without an interactive session attached (i.e., automation anomaly)" + }, + { + "name": "kubernetes:audit", + "channel": "process execution involving curl, grep, or awk on secrets" + }, + { + "name": "linus:syslog", + "channel": "None" + }, + { + "name": "linux:cli", + "channel": "command logging" + }, + { + "name": "linux:cli", + "channel": "Shell history logs" + }, + { + "name": "linux:cli", + "channel": "Terminal Command History" + }, + { + "name": "linux:cli", + "channel": "/home/*/.bash_history" + }, + { + "name": "linux:osquery", + "channel": "Command-line includes base64 -d or openssl enc -d" + }, + { + "name": "linux:osquery", + "channel": "process_events.command_line" + }, + { + "name": "linux:shell", + "channel": "Manual invocation of software enumeration commands via interactive shell" + }, + { + "name": "linux:syslog", + "channel": "cron activity" + }, + { + "name": "linux:syslog", + "channel": "Suspicious script or command execution targeting browser folders" + }, + { + "name": "linux:syslog", + "channel": "Unusual outbound transfers from CLI tools like base64, gzip, or netcat" + }, + { + "name": "linux:syslog", + "channel": "sudo chage|grep pam_pwquality|cat /etc/login.defs" + }, + { + "name": "linux:syslog", + "channel": "sudo execution of ffmpeg/gst-launch/v4l2-ctl by non-standard user" + }, + { + "name": "linux:syslog", + "channel": "sshd logs" + }, + { + "name": "linux:syslog", + "channel": "CLI access to 'show running-config', 'show password', or 'cat config.txt'" + }, + { + "name": "linux:syslog", + "channel": "Sudo or root escalation followed by filesystem mount commands" + }, + { + "name": "linuxsyslog", + "channel": "nslcd or winbind logs" + }, + { + "name": "m365:defender", + "channel": "Activity Log: Command Invocation" + }, + { + "name": "m365:exchange", + "channel": "Cmdlet: Get-GlobalAddressList, Get-Recipient" + }, + { + "name": "m365:exchange", + "channel": "Get-RoleGroup, Get-DistributionGroup" + }, + { + "name": "m365:messagetrace", + "channel": "Inbound email triggers execution of mailbox-stored custom form" + }, + { + "name": "m365:messagetrace", + "channel": "Inbound email matches crafted rule trigger pattern tied to persistence logic" + }, + { + "name": "m365:messagetrace", + "channel": "Inbound email triggering Outlook to auto-access folder tied to malicious Home Page" + }, + { + "name": "m365:office", + "channel": "Startup execution includes non-default component" + }, + { + "name": "m365:office", + "channel": "Execution of unsigned macro from template" + }, + { + "name": "m365:unified", + "channel": "Automated forwarding or file sync initiated by a logic app" + }, + { + "name": "m365:unified", + "channel": "Search-Mailbox, Get-MessageTrace, eDiscovery requests" + }, + { + "name": "m365:unified", + "channel": "Set-Mailbox, New-InboxRule" + }, + { + "name": "m365:unified", + "channel": "Set-Mailbox, Set-MailboxPolicy, Set-TrustedLocation" + }, + { + "name": "macos:osquery", + "channel": "Interpreter exec with suspicious arguments as above" + }, + { + "name": "macos:osquery", + "channel": "launchd + process_events" + }, + { + "name": "macos:syslog", + "channel": "system.log" + }, + { + "name": "macos:syslog", + "channel": "/var/log/system.log" + }, + { + "name": "macos:unifiedlog", + "channel": "dsconfigad or dscl with create or append options for AD-bound users" }, { "name": "macos:unifiedlog", @@ -16716,42 +19396,14 @@ "name": "macos:unifiedlog", "channel": "log stream --predicate" }, - { - "name": "WinEventLog:PowerShell", - "channel": "Execution of Microsoft script to enumerate custom forms in Outlook mailbox" - }, - { - "name": "m365:messagetrace", - "channel": "Inbound email triggers execution of mailbox-stored custom form" - }, - { - "name": "auditd:EXECVE", - "channel": "Use of mv or cp to rename files with '.' prefix" - }, { "name": "macos:unifiedlog", "channel": "Execution of chflags hidden or SetFile -a V" }, - { - "name": "esxi:shell", - "channel": "interactive shell" - }, - { - "name": "networkdevice:cli", - "channel": "CLI command" - }, { "name": "macos:unifiedlog", "channel": "log stream" }, - { - "name": "esxi:vmkernel", - "channel": "/var/log/vmkernel.log" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve calls to locale, timedatectl, or cat /etc/timezone" - }, { "name": "macos:unifiedlog", "channel": "defaults read -g AppleLocale, systemsetup -gettimezone" @@ -16760,126 +19412,22 @@ "name": "macos:unifiedlog", "channel": "profiles install -type=configuration" }, - { - "name": "auditd:SYSCALL", - "channel": "sleep function usage or loops (nanosleep, usleep) in scripts" - }, - { - "name": "m365:unified", - "channel": "Search-Mailbox, Get-MessageTrace, eDiscovery requests" - }, - { - "name": "EDR:cli", - "channel": "Command Line Telemetry" - }, { "name": "macos:unifiedlog", "channel": "log stream --predicate 'eventMessage contains \"loginwindow\" or \"pfctl\"'" }, - { - "name": "networkdevice:syslog", - "channel": "Command Audit / Configuration Change" - }, - { - "name": "WinEventLog:Microsoft-Office/OutlookAddinMonitor", - "channel": "Outlook loading add-in via unexpected load path or non-default profile context" - }, { "name": "macos:unifiedlog", "channel": "exec or sudo usage with NOPASSWD context or echo modifying sudoers" }, - { - "name": "WinEventLog:Security", - "channel": "EventCode=4103, 4104, 4105, 4106" - }, - { - "name": "auditd:EXECVE", - "channel": "execve: Execution of update-ca-certificates or trust anchor modification commands" - }, { "name": "macos:unifiedlog", "channel": "Execution of /usr/bin/security add-trusted-cert or keychain modifications to System.keychain" }, - { - "name": "auditd:EXECVE", - "channel": "gcore, gdb, strings, hexdump execution" - }, - { - "name": "auditd:SYSCALL", - "channel": "connect, execve, write" - }, - { - "name": "esxi:hostd", - "channel": "command execution" - }, - { - "name": "auditd:EXECVE", - "channel": "Execution of auditctl, systemctl stop auditd, or kill -9 auditd" - }, - { - "name": "macos:syslog", - "channel": "system.log" - }, - { - "name": "esxi:hostd", - "channel": "/var/log/hostd.log" - }, - { - "name": "esxi:shell", - "channel": "/var/log/shell.log" - }, - { - "name": "docker:daemon", - "channel": "docker exec or docker run with unexpected command/entrypoint" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve call including 'nohup' or trailing '&'" - }, { "name": "macos:unifiedlog", "channel": "nohup, disown, or osascript execution patterns" }, - { - "name": "WinEventLog:PowerShell", - "channel": "CommandLine=copy-item or robocopy from UNC path" - }, - { - "name": "esxi:shell", - "channel": "invoked remote scripts (esxcli)" - }, - { - "name": "auditd:EXECVE", - "channel": "execution of systemctl with subcommands start, stop, enable, disable" - }, - { - "name": "networkdevice:cli", - "channel": "Policy Update" - }, - { - "name": "auditd:SYSCALL", - "channel": "None" - }, - { - "name": "AWS:CloudTrail", - "channel": "eventName: RunInstances, CreateUser, PutRolePolicy, InvokeCommand" - }, - { - "name": "gcp:audit", - "channel": "methodName: setIamPolicy, startInstance, createServiceAccount" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Commands executed within an SSH session where no matching logon/authentication event exists" - }, - { - "name": "esxi:hostd", - "channel": "modification of config files or shell command execution" - }, - { - "name": "kubernetes:audit", - "channel": "Shell process (e.g., /bin/sh, /bin/bash) spawned in a container without an interactive session attached (i.e., automation anomaly)" - }, { "name": "macos:unifiedlog", "channel": "Execution of 'profiles install -type=configuration'" @@ -16888,46 +19436,14 @@ "name": "macos:unifiedlog", "channel": "subsystem:com.apple.Terminal" }, - { - "name": "networkdevice:syslog", - "channel": "eventlog" - }, - { - "name": "esxi:hostd", - "channel": "shell access or job registration" - }, - { - "name": "WinEventLog:PowerShell", - "channel": "PowerShell launched from outlook.exe or triggered without user invocation" - }, - { - "name": "m365:messagetrace", - "channel": "Inbound email matches crafted rule trigger pattern tied to persistence logic" - }, - { - "name": "linus:syslog", - "channel": "None" - }, - { - "name": "linux:syslog", - "channel": "Unusual outbound transfers from CLI tools like base64, gzip, or netcat" - }, { "name": "macos:unifiedlog", "channel": "base64 or curl processes chained within short execution window" }, - { - "name": "esxi:shell", - "channel": "base64 or gzip use within shell session" - }, { "name": "macos:unifiedlog", "channel": "exec: Invocation of /usr/bin/defaults write or /usr/bin/plutil modifying plist keys" }, - { - "name": "auditd:SYSCALL", - "channel": "chmod, execve" - }, { "name": "macos:unifiedlog", "channel": "chmod command with arguments including '+s', 'u+s', or numeric values 4000\u20136777" @@ -16936,698 +19452,118 @@ "name": "macos:unifiedlog", "channel": "command includes dscl . delete or sysadminctl --deleteUser" }, - { - "name": "fs:fsusage", - "channel": "file system activity monitor" - }, - { - "name": "networkdevice:cli", - "channel": "ip ssh pubkey-chain" - }, - { - "name": "esxi:shell", - "channel": "scripts or binaries with misleading names" - }, - { - "name": "auditd:EXECVE", - "channel": "Execution of GUI-related binaries with suppressed window/display flags" - }, - { - "name": "linuxsyslog", - "channel": "nslcd or winbind logs" - }, { "name": "macos:unifiedlog", "channel": "DS daemon log entries" }, - { - "name": "esxi:hostd", - "channel": "logline inspection" - }, { "name": "macos:unifiedlog", "channel": "diskutil eraseDisk / asr restore with destructive flags" }, - { - "name": "networkdevice:cli", - "channel": "erase flash:, erase startup-config, format disk" - }, - { - "name": "networkdevice:syslog", - "channel": "command_exec" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: iptables, nft, firewall-cmd modifications" - }, { "name": "macos:unifiedlog", "channel": "pfctl -d, socketfilterfw --setglobalstate off, or modifications to com.apple.alf" }, - { - "name": "esxi:hostd", - "channel": "esxcli network firewall set commands" - }, - { - "name": "docker:events", - "channel": "container exec rm|container stop --force" - }, - { - "name": "esxi:hostd", - "channel": "event stream" - }, - { - "name": "networkdevice:cli", - "channel": "CLI command logs" - }, - { - "name": "esxi:shell", - "channel": "/var/log/shell.log entries containing \"esxcli system clock get\"" - }, - { - "name": "networkdevice:syslog", - "channel": "command-exec: CLI commands containing \"show clock\", \"show clock detail\", \"show timezone\" executed by suspicious user/source" - }, - { - "name": "networkdevice:cli", - "channel": "cmd: cmd=show clock detail" - }, - { - "name": "auditd:EXECVE", - "channel": "curl -X POST, wget --post-data" - }, - { - "name": "linux:syslog", - "channel": "sudo chage|grep pam_pwquality|cat /etc/login.defs" - }, { "name": "macos:unifiedlog", "channel": "pwpolicy|PasswordPolicy" }, - { - "name": "networkdevice:syslog", - "channel": "cmd='show aaa*' OR 'show running-config | include password|aaa' OR 'show aaa common-criteria policy all'" - }, - { - "name": "networkdevice:syslog", - "channel": "CLI command audit" - }, - { - "name": "networkdevice:cli", - "channel": "Execution of commands to load, copy, or replace system images (e.g., 'copy tftp flash', 'boot system')" - }, - { - "name": "WinEventLog:PowerShell", - "channel": "Execution of PowerShell script to enumerate or remove malicious Home Page folder config" - }, - { - "name": "m365:messagetrace", - "channel": "Inbound email triggering Outlook to auto-access folder tied to malicious Home Page" - }, { "name": "macos:unifiedlog", "channel": "Command line contains smbutil view //, mount_smbfs //" }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Invocation of scp, rsync, curl, or sftp" - }, - { - "name": "esxi:hostd", - "channel": "scp/ssh used to move file across hosts" - }, - { - "name": "auditd:EXECVE", - "channel": "command line arguments containing lsblk, fdisk, parted" - }, { "name": "macos:unifiedlog", "channel": "log messages related to disk enumeration context or Terminal session" }, - { - "name": "auditd:SYSCALL", - "channel": "execve calls modifying local mail filter configuration files" - }, - { - "name": "esxi:hostd", - "channel": "None" - }, - { - "name": "esxi:shell", - "channel": "None" - }, - { - "name": "networkdevice:cli", - "channel": "None" - }, - { - "name": "linux:syslog", - "channel": "sudo execution of ffmpeg/gst-launch/v4l2-ctl by non-standard user" - }, - { - "name": "docker:api", - "channel": "docker logs access or container inspect commands from non-administrative users" - }, - { - "name": "esxi:shell", - "channel": "command IN (\"esxcli vm process list\", \"vim-cmd vmsvc/getallvms\")" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: process_name IN (\"virsh\", \"VBoxManage\", \"qemu-img\") AND command IN (\"list\", \"info\")" - }, - { - "name": "esxi:shell", - "channel": "openssl|tar|dd" - }, - { - "name": "AWS:CloudTrail", - "channel": "SSM RunCommand" - }, - { - "name": "azure:activity", - "channel": "Intune PowerShell Scripts" - }, - { - "name": "m365:exchange", - "channel": "Cmdlet: Get-GlobalAddressList, Get-Recipient" - }, - { - "name": "networkdevice:cli", - "channel": "Execution of commands like 'show running-config', 'copy running-config', or 'export config'" - }, - { - "name": "esxi:syslog", - "channel": "boot logs" - }, - { - "name": "networkdevice:syslog", - "channel": "system boot logs" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: service stop syslog, systemctl stop rsyslog, kill -9 syslog" - }, { "name": "macos:unifiedlog", "channel": "defaults write com.apple.system.logging or logd manipulation" }, - { - "name": "esxi:hostd", - "channel": "esxcli system syslog config set or reload" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: openssl pkcs12, certutil, keytool" - }, { "name": "macos:unifiedlog", "channel": "process calling security find-certificate, export, or import" }, - { - "name": "networkdevice:cli", - "channel": "Execution of CLI commands altering crypto parameters (e.g., 'crypto key generate rsa modulus 512')" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Process in container namespace executes curl|wget|bash|sh|python|nc with outbound args" - }, - { - "name": "m365:exchange", - "channel": "Get-RoleGroup, Get-DistributionGroup" - }, - { - "name": "auditd:SYSCALL", - "channel": "execution of systemctl or service with enable/start parameters" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Execution of cat, less, grep, journalctl targeting log directories (/var/log/)" - }, { "name": "macos:unifiedlog", "channel": "Execution of log show, fs_usage, or cat targeting system.log" }, - { - "name": "AWS:CloudTrail", - "channel": "GetLogEvents: High frequency log exports from CloudWatch or equivalent services" - }, - { - "name": "esxi:shell", - "channel": "Execution of cat, tail, grep targeting /var/log/vmkernel.log or /var/log/hostd.log" - }, - { - "name": "esxi:shell", - "channel": "CLI usage logs" - }, - { - "name": "macos:syslog", - "channel": "/var/log/system.log" - }, { "name": "macos:unifiedlog", "channel": "execution of launchctl load/unload/start commands" }, - { - "name": "WinEventLog:PowerShell", - "channel": "Exchange Cmdlets" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Execution of python, perl, or custom binaries invoking compression libraries" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve, USER_CMD" - }, - { - "name": "auditd:USER_CMD", - "channel": "USER_CMD" - }, - { - "name": "esxi:shell", - "channel": "Command execution trace" - }, - { - "name": "auditd:SYSCALL", - "channel": "bash/zsh of base64, tar, gzip, or openssl immediately after file write" - }, - { - "name": "linux:osquery", - "channel": "Command-line includes base64 -d or openssl enc -d" - }, { "name": "macos:unifiedlog", "channel": "base64 -d or osascript invoked on staged file" }, - { - "name": "auditd:EXECVE", - "channel": "exec: Execution of dd, efibootmgr, or flashrom modifying firmware/boot partitions" - }, - { - "name": "auditd:EXECVE", - "channel": "curl -d, wget --post-data" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Processes executing sendmail/postfix with forged headers" - }, { "name": "macos:unifiedlog", "channel": "diskutil partitionDisk or eraseVolume with partition scheme modifications" }, - { - "name": "networkdevice:cli", - "channel": "format flash:, format disk, reformat commands" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Execution of tar, gzip, bzip2, xz, zip, or openssl with compression/encryption arguments" - }, - { - "name": "auditd:PROCTITLE", - "channel": "proctitle contains chmod, chown, setfacl, or attr commands with suspicious parameters" - }, - { - "name": "esxi:shell", - "channel": "shell command execution for chmod, chown, or file permission modification on VMFS or system files" - }, - { - "name": "networkdevice:Firewall", - "channel": "Audit trail or CLI/API access indicating commands like no access-list, delete rule-set, clear config" - }, - { - "name": "auditd:EXECVE", - "channel": "grep/cat/awk on files with password fields" - }, { "name": "macos:unifiedlog", "channel": "grep/cat on files matching credential patterns" }, - { - "name": "kubernetes:audit", - "channel": "process execution involving curl, grep, or awk on secrets" - }, - { - "name": "AWS:CloudTrail", - "channel": "command-line execution invoking credential enumeration" - }, - { - "name": "auditd:SYSCALL", - "channel": "promiscuous mode transitions (ioctl or ifconfig)" - }, - { - "name": "fs:fsusage", - "channel": "access to BPF devices or interface IOCTLs" - }, - { - "name": "networkdevice:syslog", - "channel": "exec command='monitor capture'" - }, - { - "name": "WinEventLog:Microsoft-Office-Alerts", - "channel": "Unexpected DLL or component loaded at Office startup" - }, - { - "name": "m365:office", - "channel": "Startup execution includes non-default component" - }, { "name": "macos:unifiedlog", "channel": "diskutil eraseDisk/zeroDisk or asr restore with destructive flags" }, - { - "name": "networkdevice:cli", - "channel": "erase flash:, erase nvram:, format disk" - }, { "name": "macos:unifiedlog", "channel": "spctl --master-disable, csrutil disable, or defaults write to disable Gatekeeper" }, - { - "name": "esxi:shell", - "channel": "esxcli system syslog config set --loghost='' or stopping hostd service" - }, - { - "name": "networkdevice:syslog", - "channel": "no logging buffered, no aaa new-model, disable firewall" - }, - { - "name": "auditd:EXECVE", - "channel": "git push, curl -X POST" - }, - { - "name": "linux:cli", - "channel": "command logging" - }, - { - "name": "esxi:hostd", - "channel": "command log" - }, - { - "name": "networkdevice:cli", - "channel": "command logs" - }, - { - "name": "networkdevice:syslog", - "channel": "interactive shell logging" - }, - { - "name": "esxi:hostd", - "channel": "Execution of '/bin/vmx' or modifications to '/etc/rc.local.d/local.sh'" - }, - { - "name": "auditd:SYSCALL", - "channel": "chattr, rm, shred, dd run on recovery directories or partitions" - }, - { - "name": "networkdevice:syslog", - "channel": "command sequence: erase \u2192 format \u2192 reload" - }, { "name": "macos:unifiedlog", "channel": "process: at, job runner" }, - { - "name": "macos:osquery", - "channel": "Interpreter exec with suspicious arguments as above" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Execution of curl or wget writing files to /tmp/* followed by chmod or execution" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Execution of downgraded interpreters such as python2 or forced fallback commands" - }, - { - "name": "auditd:PROCTITLE", - "channel": "proctitle contains chmod, chown, chgrp, setfacl, or attr with suspicious parameters (777, 755, +x, -R)" - }, - { - "name": "auditd:EXECVE", - "channel": "Execution of gsettings set org.gnome.login-screen disable-user-list true" - }, { "name": "macos:unifiedlog", "channel": "Execution of dscl . create with IsHidden=1" }, - { - "name": "linux:syslog", - "channel": "sshd logs" - }, - { - "name": "esxi:shell", - "channel": "Shell Access/Command Execution" - }, - { - "name": "networkdevice:syslog", - "channel": "CLI Command Logging" - }, - { - "name": "auditd:CONFIG_CHANGE", - "channel": "udev rule reload or trigger command executed" - }, - { - "name": "linux:cli", - "channel": "Shell history logs" - }, { "name": "macos:unifiedlog", "channel": "log stream --predicate 'processImagePath contains \"zip\" OR \"base64\"'" }, - { - "name": "networkdevice:cli", - "channel": "command logging" - }, - { - "name": "esxi:hostd", - "channel": "Command Execution" - }, - { - "name": "macos:osquery", - "channel": "launchd + process_events" - }, - { - "name": "esxi:vmkernel", - "channel": "DCUI shell start, BusyBox activity" - }, - { - "name": "esxi:hostd", - "channel": "remote CLI + vim-cmd logging" - }, - { - "name": "networkdevice:syslog", - "channel": "CLI Command Audit" - }, - { - "name": "m365:defender", - "channel": "Activity Log: Command Invocation" - }, - { - "name": "WinEventLog:PowerShell", - "channel": "CmdletName: Get-Recipient, Get-User" - }, - { - "name": "WinEventLog:PowerShell", - "channel": "Execution of 'Get-WmiObject Win32_Product' or similar PowerShell cmdlets" - }, - { - "name": "linux:shell", - "channel": "Manual invocation of software enumeration commands via interactive shell" - }, - { - "name": "auditd:SYSCALL", - "channel": "Command line arguments including SPApplicationsDataType" - }, - { - "name": "AWS:CloudTrail", - "channel": "ssm:GetCommandInvocation" - }, - { - "name": "esxi:shell", - "channel": "esxcli software vib list" - }, - { - "name": "auditd:EXECVE", - "channel": "execution of setfattr or getfattr commands" - }, { "name": "macos:unifiedlog", "channel": "xattr utility execution with -w or -p flags" }, - { - "name": "auditd:SYSCALL", - "channel": "Execution of spoofing tools (e.g., hping3, nping, scapy) sending UDP packets to known amplifier ports" - }, - { - "name": "auditd:SYSCALL", - "channel": "execution of tools like cat, grep, or awk on credential files" - }, { "name": "macos:unifiedlog", "channel": "execution of 'security', 'cat', or 'grep' commands accessing credential storage" }, - { - "name": "linux:syslog", - "channel": "CLI access to 'show running-config', 'show password', or 'cat config.txt'" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve of curl, rsync, wget with internal knowledge base or IPs" - }, - { - "name": "esxi:shell", - "channel": "/root/.ash_history" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Execution of systemctl, loginctl, or systemd-inhibit commands related to sleep/hibernate" - }, - { - "name": "auditd:SYSCALL", - "channel": "Execution of xev, xdotool, or input activity emulators" - }, { "name": "macos:unifiedlog", "channel": "launchctl load or boot-time plist registration" }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Execution of interpreters creating archive-like outputs without calling tar/gzip" - }, - { - "name": "networkdevice:syslog", - "channel": "command audit" - }, - { - "name": "networkdevice:cli", - "channel": "Interface commands" - }, { "name": "macos:unifiedlog", "channel": "dscl -create" }, - { - "name": "esxi:vmkernel", - "channel": "esxcli system account add" - }, - { - "name": "ebpf:syscalls", - "channel": "useradd or /etc/passwd modified inside container" - }, - { - "name": "auditd:SYSCALL", - "channel": "Execution of insmod, modprobe, or rmmod commands by non-standard users or outside expected timeframes" - }, { "name": "macos:unifiedlog", "channel": "kextload execution from Terminal or suspicious paths" }, - { - "name": "WinEventLog:PowerShell", - "channel": "Execution of PowerShell without -NoProfile flag" - }, - { - "name": "auditd:EXECVE", - "channel": "Process execution of update-ca-certificates or openssl with suspicious arguments" - }, { "name": "macos:unifiedlog", "channel": "xattr -d com.apple.quarantine or similar removal commands" }, - { - "name": "azure:signinlogs", - "channel": "OperationName=SetDomainAuthentication OR Update-MsolFederatedDomain" - }, - { - "name": "linux:syslog", - "channel": "Sudo or root escalation followed by filesystem mount commands" - }, - { - "name": "WinEventLog:PowerShell", - "channel": "EventCode=4101" - }, - { - "name": "networkdevice:cli", - "channel": "Execution of privileged commands such as 'copy tftp flash', 'boot system', or 'debug memory'" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve syscalls for discovery commands (uname, hostname, id, whoami, ps, netstat, mount) with command-line parameter analysis" - }, - { - "name": "auditd:PROCTITLE", - "channel": "process title records containing discovery command sequences and environmental assessment patterns" - }, { "name": "macos:unifiedlog", "channel": "Security framework operations including keychain access, cryptographic operations, and certificate validation" }, - { - "name": "m365:unified", - "channel": "Set-Mailbox, New-InboxRule" - }, { "name": "macos:unifiedlog", "channel": "None" }, - { - "name": "networkdevice:cli", - "channel": "Execution of commands disabling crypto hardware acceleration (e.g., 'no crypto engine enable')" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Execution of curl, wget, or custom scripts accessing financial endpoints" - }, - { - "name": "auditd:EXECVE", - "channel": "Execution of chattr to set +i or +a attributes" - }, { "name": "macos:unifiedlog", "channel": "Execution of chflags hidden or setfile -a V" }, - { - "name": "esxi:shell", - "channel": "mv, rename, or chmod commands moving VM files into hidden directories" - }, - { - "name": "esxi:hostd", - "channel": "execution + payload hints" - }, - { - "name": "linux:osquery", - "channel": "process_events.command_line" - }, { "name": "macos:unifiedlog", "channel": "process:spawn, process:exec" }, - { - "name": "esxi:vobd", - "channel": "shell session start" - }, - { - "name": "networkdevice:cli", - "channel": "shell command" - }, - { - "name": "WinEventLog:Microsoft-Office-Alerts", - "channel": "Office application warning or alert on macro execution from template" - }, - { - "name": "m365:unified", - "channel": "Set-Mailbox, Set-MailboxPolicy, Set-TrustedLocation" - }, - { - "name": "m365:office", - "channel": "Execution of unsigned macro from template" - }, - { - "name": "linux:cli", - "channel": "Terminal Command History" - }, { "name": "macos:unifiedlog", "channel": "csrutil disable" @@ -17636,138 +19572,26 @@ "name": "macos:unifiedlog", "channel": "log show --predicate 'process == '" }, - { - "name": "networkdevice:syslog", - "channel": "Privilege-level command execution" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Execution of tar, gzip, bzip2, or openssl with output redirection" - }, - { - "name": "saas:PRMetadata", - "channel": "Commit message or branch name contains encoded strings or payload indicators" - }, { "name": "macos:unifiedlog", "channel": "Execution of launchctl with setenv or bootout targeting TCC.db or AppleScript under Finder context" }, - { - "name": "esxi:shell", - "channel": "`esxcli software vib install` with `--force` or `--no-sig-check` from shell history or `shell.log`" - }, - { - "name": "AWS:CloudTrail", - "channel": "SendCommand, StartSession, ExecuteCommand: Unexpected AWS Systems Manager command execution targeting EC2 instances" - }, - { - "name": "esxi:vmkernel", - "channel": "Unexpected restarts of management agents or shell access" - }, - { - "name": "auditd:EXECVE", - "channel": "curl or wget with POST/PUT options" - }, - { - "name": "networkdevice:syslog", - "channel": "Detected CLI command to export key material" - }, - { - "name": "networkdevice:config", - "channel": "PKI export or certificate manipulation commands" - }, { "name": "macos:unifiedlog", "channel": "command execution triggered by emond (e.g., shell, curl, python)" }, - { - "name": "esxi:vmkernel", - "channel": "esxcli, vim-cmd invocation" - }, - { - "name": "esxi:shell", - "channel": "CLI session activity" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve=/sbin/shutdown or /sbin/reboot" - }, - { - "name": "esxi:shell", - "channel": "esxcli system shutdown or reboot invoked" - }, - { - "name": "networkdevice:syslog", - "channel": "reload command issued" - }, - { - "name": "auditd:PROCTITLE", - "channel": "command-line execution patterns for system discovery utilities (uname, hostname, ifconfig, netstat, lsof, ps, mount)" - }, - { - "name": "esxi:shell", - "channel": "shell command execution for system discovery (vim-cmd, esxcli, vmware-cmd) targeting VM inventory and host configuration" - }, - { - "name": "vpxd.log", - "channel": "VM inventory queries and configuration enumeration through vCenter API calls" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve calls modifying HISTFILE or HISTCONTROL via unset/export" - }, { "name": "macos:unifiedlog", "channel": "Set or unset HIST* variables in shell environment" }, - { - "name": "esxi:shell", - "channel": "unset HISTFILE or HISTFILESIZE modifications" - }, - { - "name": "networkdevice:cli", - "channel": "Commands like 'no logging' or equivalents that disable session history" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve calls to /usr/bin/locale or shell execution of $LANG" - }, { "name": "macos:unifiedlog", "channel": "defaults read -g AppleLocale or systemsetup -gettimezone" }, - { - "name": "networkdevice:cli", - "channel": "Execution of commands such as 'copy tftp flash', 'boot system ', 'reload'" - }, - { - "name": "auditd:EXECVE", - "channel": "curl -T, rclone copy" - }, - { - "name": "auditd:SYSCALL", - "channel": "execution of systemctl or service with enable/start/modify" - }, { "name": "macos:unifiedlog", "channel": "launchctl load/unload or plist file modification" }, - { - "name": "networkdevice:syslog", - "channel": "syslog facility LOCAL7 or trap messages" - }, - { - "name": "linux:cli", - "channel": "/home/*/.bash_history" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Execution of lsmod, modinfo, or cat /proc/modules" - }, - { - "name": "networkdevice:config", - "channel": "Configuration changes referencing 'boot system tftp' or modification of startup-config pointing to external TFTP servers" - }, { "name": "macos:unifiedlog", "channel": "dscl . -create" @@ -17777,8 +19601,248 @@ "channel": "Execution of commands like `ls -l@`, `xattr -l`, or custom tools interacting with resource forks" }, { - "name": "esxi:vpxd", - "channel": "vCenter Management" + "name": "macos:unifiedlog", + "channel": "Execution of osascript, sh, bash, zsh, installer, open" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application spawns shell, command interpreter, or command-executing child process with arguments during command-execution phase" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application spawns Unix shell process or superuser binary such as sh, su, toybox, toolbox, or shell-like child process with parameters during execution phase" + }, + { + "name": "networkdevice:cli", + "channel": "CLI command" + }, + { + "name": "networkdevice:cli", + "channel": "Policy Update" + }, + { + "name": "networkdevice:cli", + "channel": "ip ssh pubkey-chain" + }, + { + "name": "networkdevice:cli", + "channel": "erase flash:, erase startup-config, format disk" + }, + { + "name": "networkdevice:cli", + "channel": "CLI command logs" + }, + { + "name": "networkdevice:cli", + "channel": "cmd: cmd=show clock detail" + }, + { + "name": "networkdevice:cli", + "channel": "Execution of commands to load, copy, or replace system images (e.g., 'copy tftp flash', 'boot system')" + }, + { + "name": "networkdevice:cli", + "channel": "None" + }, + { + "name": "networkdevice:cli", + "channel": "Execution of commands like 'show running-config', 'copy running-config', or 'export config'" + }, + { + "name": "networkdevice:cli", + "channel": "Execution of CLI commands altering crypto parameters (e.g., 'crypto key generate rsa modulus 512')" + }, + { + "name": "networkdevice:cli", + "channel": "format flash:, format disk, reformat commands" + }, + { + "name": "networkdevice:cli", + "channel": "erase flash:, erase nvram:, format disk" + }, + { + "name": "networkdevice:cli", + "channel": "command logs" + }, + { + "name": "networkdevice:cli", + "channel": "command logging" + }, + { + "name": "networkdevice:cli", + "channel": "Interface commands" + }, + { + "name": "networkdevice:cli", + "channel": "Execution of privileged commands such as 'copy tftp flash', 'boot system', or 'debug memory'" + }, + { + "name": "networkdevice:cli", + "channel": "Execution of commands disabling crypto hardware acceleration (e.g., 'no crypto engine enable')" + }, + { + "name": "networkdevice:cli", + "channel": "shell command" + }, + { + "name": "networkdevice:cli", + "channel": "Commands like 'no logging' or equivalents that disable session history" + }, + { + "name": "networkdevice:cli", + "channel": "Execution of commands such as 'copy tftp flash', 'boot system ', 'reload'" + }, + { + "name": "networkdevice:config", + "channel": "PKI export or certificate manipulation commands" + }, + { + "name": "networkdevice:config", + "channel": "Configuration changes referencing 'boot system tftp' or modification of startup-config pointing to external TFTP servers" + }, + { + "name": "networkdevice:Firewall", + "channel": "Audit trail or CLI/API access indicating commands like no access-list, delete rule-set, clear config" + }, + { + "name": "networkdevice:syslog", + "channel": "Command Audit / Configuration Change" + }, + { + "name": "networkdevice:syslog", + "channel": "eventlog" + }, + { + "name": "networkdevice:syslog", + "channel": "command_exec" + }, + { + "name": "networkdevice:syslog", + "channel": "command-exec: CLI commands containing \"show clock\", \"show clock detail\", \"show timezone\" executed by suspicious user/source" + }, + { + "name": "networkdevice:syslog", + "channel": "cmd='show aaa*' OR 'show running-config | include password|aaa' OR 'show aaa common-criteria policy all'" + }, + { + "name": "networkdevice:syslog", + "channel": "CLI command audit" + }, + { + "name": "networkdevice:syslog", + "channel": "system boot logs" + }, + { + "name": "networkdevice:syslog", + "channel": "exec command='monitor capture'" + }, + { + "name": "networkdevice:syslog", + "channel": "no logging buffered, no aaa new-model, disable firewall" + }, + { + "name": "networkdevice:syslog", + "channel": "interactive shell logging" + }, + { + "name": "networkdevice:syslog", + "channel": "command sequence: erase \u2192 format \u2192 reload" + }, + { + "name": "networkdevice:syslog", + "channel": "CLI Command Logging" + }, + { + "name": "networkdevice:syslog", + "channel": "CLI Command Audit" + }, + { + "name": "networkdevice:syslog", + "channel": "command audit" + }, + { + "name": "networkdevice:syslog", + "channel": "Privilege-level command execution" + }, + { + "name": "networkdevice:syslog", + "channel": "Detected CLI command to export key material" + }, + { + "name": "networkdevice:syslog", + "channel": "reload command issued" + }, + { + "name": "networkdevice:syslog", + "channel": "syslog facility LOCAL7 or trap messages" + }, + { + "name": "saas:PRMetadata", + "channel": "Commit message or branch name contains encoded strings or payload indicators" + }, + { + "name": "vpxd.log", + "channel": "VM inventory queries and configuration enumeration through vCenter API calls" + }, + { + "name": "WinEventLog:Microsoft-Office-Alerts", + "channel": "Unexpected DLL or component loaded at Office startup" + }, + { + "name": "WinEventLog:Microsoft-Office-Alerts", + "channel": "Office application warning or alert on macro execution from template" + }, + { + "name": "WinEventLog:Microsoft-Office/OutlookAddinMonitor", + "channel": "Outlook loading add-in via unexpected load path or non-default profile context" + }, + { + "name": "WinEventLog:PowerShell", + "channel": "Get-ADTrust|GetAllTrustRelationships" + }, + { + "name": "WinEventLog:PowerShell", + "channel": "EventCode=4103, 4104, 4105, 4106" + }, + { + "name": "WinEventLog:PowerShell", + "channel": "Execution of Microsoft script to enumerate custom forms in Outlook mailbox" + }, + { + "name": "WinEventLog:PowerShell", + "channel": "CommandLine=copy-item or robocopy from UNC path" + }, + { + "name": "WinEventLog:PowerShell", + "channel": "PowerShell launched from outlook.exe or triggered without user invocation" + }, + { + "name": "WinEventLog:PowerShell", + "channel": "Execution of PowerShell script to enumerate or remove malicious Home Page folder config" + }, + { + "name": "WinEventLog:PowerShell", + "channel": "Exchange Cmdlets" + }, + { + "name": "WinEventLog:PowerShell", + "channel": "CmdletName: Get-Recipient, Get-User" + }, + { + "name": "WinEventLog:PowerShell", + "channel": "Execution of 'Get-WmiObject Win32_Product' or similar PowerShell cmdlets" + }, + { + "name": "WinEventLog:PowerShell", + "channel": "Execution of PowerShell without -NoProfile flag" + }, + { + "name": "WinEventLog:PowerShell", + "channel": "EventCode=4101" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=4103, 4104, 4105, 4106" } ] }, @@ -17787,6 +19851,7 @@ "id": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -17797,7 +19862,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-16T16:59:19.254Z", "name": "Service Metadata", "description": "Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -17892,6 +19957,10 @@ { "name": "networkdevice:config", "channel": "write: Startup configuration changes disabling security checks" + }, + { + "name": "auditd:DAEMON", + "channel": "auditd stopped, config changed, logging suspended" } ] }, @@ -17914,7 +19983,6 @@ "modified": "2025-11-12T22:03:39.105Z", "name": "Scheduled Job Metadata", "description": "Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.", - "x_mitre_data_source_ref": "", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ @@ -17974,16 +20042,17 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-16T16:41:53.549Z", "name": "File Modification", "description": "Changes made to a file, including updates to its contents, metadata, access permissions, or attributes. These modifications may indicate legitimate activity (e.g., software updates) or unauthorized changes (e.g., tampering, ransomware, or adversarial modifications). Examples: \n\n- Content Modifications: Changes to the content of a configuration file, such as modifying `/etc/ssh/sshd_config` on Linux or `C:\\Windows\\System32\\drivers\\etc\\hosts` on Windows.\n- Permission Changes: Altering file permissions to allow broader access, such as changing a file from `644` to `777` on Linux or modifying NTFS permissions on Windows.\n- Attribute Modifications: Changing a file's attributes to hidden, read-only, or system on Windows.\n- Timestamp Manipulation: Adjusting a file's creation or modification timestamp using tools like `touch` in Linux or timestomping tools on Windows.\n- Software or System File Changes: Modifying system files such as `boot.ini`, kernel modules, or application binaries.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", - "enterprise-attack" + "enterprise-attack", + "mobile-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { @@ -18561,6 +20630,30 @@ { "name": "esxi:vmkernel", "channel": "/var/log/vmkernel.log" + }, + { + "name": "AndroidLogs:FileSystem", + "channel": "Modification to /system/etc/init/ or /vendor/etc/init/ boot-time scripts" + }, + { + "name": "iOS:unifiedlog", + "channel": "Creation or modification of LaunchDaemon or LaunchAgent plist in /System/Library/LaunchDaemons, /Library/LaunchDaemons, or /Library/LaunchAgents" + }, + { + "name": "android:logcat", + "channel": "INSERT or UPDATE of image/*, audio/*, video/* via ContentResolver with same URI re-written within short window; abnormal MIME/container change" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application inserts, updates, deletes, hides, or marks message records in SMS store or messaging database immediately after SMS receive or send event" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application inserts, updates, deletes, or rewrites call-log records immediately after call-control action to conceal, alter, or synthesize call history" + }, + { + "name": "auditd:PATH", + "channel": "odification of ~/.ssh/authorized_keys or credential files" } ] }, @@ -18602,6 +20695,7 @@ "id": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", "created": "2022-05-11T16:22:58.802Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -18612,7 +20706,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T15:10:28.402Z", + "modified": "2026-04-22T14:51:44.669Z", "name": "Process History/Live Data", "description": "This includes any data stores that maintain historical or real-time events and telemetry recorded from various sensors or devices", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -18620,9 +20714,13 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ + { + "name": "Databases", + "channel": "None" + }, { "name": "Operational Databases", "channel": "None" @@ -18645,7 +20743,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-23T18:22:40.476Z", "name": "OS API Execution", "description": "Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -18655,7 +20753,7 @@ "mobile-attack", "enterprise-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { @@ -18933,6 +21031,410 @@ { "name": "EDR:file", "channel": "SetFileTime" + }, + { + "name": "AndroidLogs:Kernel", + "channel": "Unprivileged app process (app UID, non-system) invoking sensitive syscalls or device interfaces associated with privilege escalation (setuid, ptrace, perf_event_open, vulnerable drivers)" + }, + { + "name": "android:logcat", + "channel": "SELinux AVC for execmem/execute_no_trans/mprotect following recent writes by same UID" + }, + { + "name": "iOS:unifiedlog", + "channel": "mmap/mprotect transitions to PROT_EXEC for pages associated with recently written files" + }, + { + "name": "android:logcat", + "channel": "QUERY on exported ContentProviders of other packages (content:///*) or MediaStore scoped queries immediately preceding file reads" + }, + { + "name": "android:logcat", + "channel": "ClipboardManager (addOnPrimaryClipChangedListener|getPrimaryClip|getPrimaryClipDescription) invoked by " + }, + { + "name": "android:logcat", + "channel": "AccessibilityService connected|TYPE_VIEW_TEXT_CHANGED|TYPE_VIEW_FOCUSED events for other packages" + }, + { + "name": "android:logcat", + "channel": "TYPE_WINDOW_STATE_CHANGED / TYPE_VIEW_FOCUSED shows foreign target package in foreground" + }, + { + "name": "android:logcat", + "channel": "PackageManager getInstalledApplications|getInstalledPackages|getPackagesHoldingPermissions burst for . TYPE_WINDOW_STATE_CHANGED shows foreground app then immediate package queries by " + }, + { + "name": "iOS:unifiedlog", + "channel": "LSApplicationWorkspace or canOpenURL probe bursts for many URL schemes" + }, + { + "name": "android:logcat", + "channel": "getInstalledPackages/getPackagesHoldingPermissions with filters for known security/MDM/VPN package names. Queries to isDeviceOwnerApp/isProfileOwnerApp/getActiveAdmins/getPermissionGrantState. Requests list of enabled services or monitors TYPE_WINDOW_STATE_CHANGED to time checks" + }, + { + "name": "iOS:unifiedlog", + "channel": "Queries indicating MDM profile presence, supervised state, restrictions read. LSApplicationWorkspace enumeration or app proxy queries referencing security vendors" + }, + { + "name": "android:logcat", + "channel": "ACTION_VIEW redirect_uri handled by unexpected package" + }, + { + "name": "android:logcat", + "channel": "canOpenURL/LSApplicationWorkspace resolved to unexpected bundle for redirect_uri" + }, + { + "name": "android:logcat", + "channel": "query() against MediaStore/DocumentsContract URIs (Images/Video/Audio/Downloads/DocumentTree)" + }, + { + "name": "iOS:unifiedlog", + "channel": "enumeratorForContainerItemIdentifier / itemForIdentifier across multiple containers/providers" + }, + { + "name": "android:logcat", + "channel": "wifiservice startScan / scanResults retrieved repeatedly or by unexpected package" + }, + { + "name": "android:logcat", + "channel": "bluetoothmanager startDiscovery / getBondedDevices / scan callback bursts by package" + }, + { + "name": "android:logcat", + "channel": "telephony cell info enumeration bursts (neighboring/all cell info) by package" + }, + { + "name": "android:logcat", + "channel": "repeated queries or dumps related to running tasks/services/process state by same package/UID (e.g., getRunningAppProcesses, running services/task inspection)" + }, + { + "name": "android:logcat", + "channel": "Application accesses android.os.Build fields or device configuration APIs (MODEL, MANUFACTURER, VERSION.SDK_INT, HARDWARE)" + }, + { + "name": "iOS:unifiedlog", + "channel": "Application invokes UIDevice queries (model, systemVersion, name)" + }, + { + "name": "android:logcat", + "channel": "Invocation of MediaRecorder.start(), AudioRecord.startRecording(), or VOICE_CALL audio source" + }, + { + "name": "iOS:unifiedlog", + "channel": "Invocation of AVAudioRecorder, AVCaptureSession, or related audio capture framework calls" + }, + { + "name": "android:logcat", + "channel": "Application invokes LocationManager, FusedLocationProviderClient, or GPS/location sensor APIs" + }, + { + "name": "iOS:unifiedlog", + "channel": "Application activates CoreLocation services or CLLocationManager APIs" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Framework-based networking usage spikes or uncommon networking stacks observed by agent telemetry (e.g., repeated URLSession/OkHttp-like patterns) without corresponding foreground/user interaction" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Agent-observable telephony subscription/state API signals indicating SIM/eSIM subscription change (vendor-agnostic: 'telephony subscription changed')" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Accessibility framework usage patterns such as event subscription, performAction invocation, node traversal, text change observation, or overlay/window presentation correlated to app identity" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Browser/WebView framework usage indicating external URL load, script execution enablement, file download initiation, intent handoff, or package install prompt sequence" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Observed device-service, trust-service, backup/service interaction, or other privileged framework activity associated with physical host access" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Connectivity manager, telephony, Wi-Fi, network callback, or location-provider framework reports repeated unavailable, disconnected, suspended, or degraded state transitions" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Observed network-path, reachability, DNS, transport, or location-provider framework reports repeated unavailable or failed state near active device use" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Content resolver, document provider, media store, storage access framework, bulk stream processing, or repeated crypto-adjacent framework use observed during multi-file transformation" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Known application begins first-seen or expanded use of content providers, account services, accessibility, package services, cryptographic routines, dynamic loading, or other framework interactions after update/install" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Known application begins first-seen or expanded use of protected frameworks, account services, background task APIs, crypto/network service APIs, or other runtime behaviors after update/install" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Known application begins first-seen or expanded use of account services, accessibility, content providers, dynamic loading, package services, WebView bridges, crypto/network APIs, or advertising/telemetry-adjacent framework behavior after install or update" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Privileged or OEM-context framework/API use tied to telephony, device policy, accessibility, overlay, input injection, package visibility, or protected settings modification from an identity not expected for the device model or approved image" + }, + { + "name": "android:logcat", + "channel": "Invocation of Calendar.set() and Calendar.add()" + }, + { + "name": "iOS:unifiedlog", + "channel": "Supplemental anomaly in baseband, IOKit, accessory, security, or activation-related subsystem logging temporally adjacent to suspicious posture or network behavior" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Recently installed or updated trusted app invokes Android framework paths or special access patterns inconsistent with its role, including accessibility-like behavior, overlay behavior, package visibility expansion, protected settings access, device policy interaction, or unusual IPC/provider access" + }, + { + "name": "iOS:unifiedlog", + "channel": "Supplemental managed app or system subsystem anomalies near install/update, launch services, extension handling, app activation, or background execution temporally adjacent to suspicious network or lifecycle behavior" + }, + { + "name": "MobileEDR:telemetry", + "channel": "App uses Android framework behaviors associated with background work scheduling, network job execution, IPC/provider access, overlay or accessibility-like interaction, or unusual package visibility immediately adjacent to web-service communication" + }, + { + "name": "iOS:unifiedlog", + "channel": "Supplemental launch, background task, networking, or extension-handling anomalies occur temporally adjacent to suspicious web-service communication from a managed app or supervised device" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Background work scheduler, job execution, or persistent service triggered network request to public web-service followed by second outbound connection within TimeWindow" + }, + { + "name": "iOS:unifiedlog", + "channel": "Background task or networking subsystem event occurred immediately before resolver retrieval and pivot connection sequence" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded retrieve-then-write exchange with public web-service platform" + }, + { + "name": "iOS:unifiedlog", + "channel": "Background task, networking, or app-activation subsystem event occurred immediately before or during retrieve-then-write exchange with public web-service platform" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded outbound session using non-standard protocol-to-port pairing" + }, + { + "name": "android:logcat", + "channel": "Invocation of CallLogs.getLastOutgoingCall()" + }, + { + "name": "android:logcat", + "channel": "Invocation of ContactsContract.Contacts.getLookupUri() and/or ContactsContract.Contacts.lookupContact()" + }, + { + "name": "iOS:unifiedlog", + "channel": "Camera, media capture, app-activation, or background-task subsystem event occurred immediately before or during sustained camera session from same managed-app or device context" + }, + { + "name": "android:logcat", + "channel": "Invocation of AccountManager.getAccounts()" + }, + { + "name": "MobileEDR:telemetry", + "channel": "MediaProjection-style screen capture session began from app identity while a different app was foregrounded and capture path was not mapped to approved recording workflow" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Accessibility-service activity from app identity coincided with foreground content observation and subsequent screenshot, frame buffer, or screenrecord artifact behavior within TimeWindow" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Privileged screencap, screenrecord, adb-driven capture, or root-context screen acquisition behavior occurred from app, shell, or elevated identity while foreground app context changed or sensitive app remained active" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Accessibility-enabled app invoked programmatic click or action on behalf of user while a different app was foregrounded and injected action was not mapped to approved accessibility or autofill workflow" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Accessibility-enabled app invoked global action such as back, home, recents, or navigation control while target foreground app context changed within TimeWindow" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Accessibility-enabled app inserted text into active field of different foreground app without user keyboard activity or approved autofill relationship" + }, + { + "name": "MobileEDR:telemetry", + "channel": "App intercepts notification content from external package (e.g., messaging/auth apps) while in background OR without recent user interaction" + }, + { + "name": "MobileEDR:telemetry", + "channel": "App invokes cryptographic functions (e.g., AES/RSA/KeyStore usage) on buffer data followed by encode/transform operations not tied to normal app workflows" + }, + { + "name": "MobileEDR:telemetry", + "channel": "App invokes symmetric encryption routines (e.g., AES/RC4 cipher initialization + encrypt operations) with repeated key usage across multiple data buffers" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Symmetric key material reused across multiple encryption operations within short interval OR derived locally without secure hardware-backed storage" + }, + { + "name": "MobileEDR:telemetry", + "channel": "App invokes asymmetric cryptographic operations (e.g., RSA/ECC keypair generation OR public key encryption OR signature operations) on outbound data buffers" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Keypair generation, import, or access events (public/private key usage) occurring prior to network communication" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application invokes custom TLS trust evaluation logic or pin validation routines (e.g., custom TrustManager, HostnameVerifier override, certificate/public key comparison) immediately before outbound TLS session establishment" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application invokes archive, compression, or bulk-buffer packaging routines on previously accessed local data within the same execution chain" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application encrypts newly created archive or staged data blob after collection and before storage or outbound transfer" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application performs bulk data transformation or packaging-like processing on collected records prior to file creation or upload" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application queries or opens multiple local SQLite or app-associated database stores containing records unrelated to the app's declared function during the collection phase" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application performs repeated record access, container traversal, or local data extraction processing against local stores before staging or transmission" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application calls startForegroundService() or startForeground() / ServiceCompat.startForeground() and transitions to persistent foreground-service execution at the start of the chain" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application invokes direct file retrieval, DownloadManager usage, or streaming write from network response to local storage immediately after remote session establishment" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Managed app performs post-download unpacking, dynamic resource handling, or module preparation immediately after local payload creation" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application loads or resolves native shared library (.so) or JNI bridge immediately before suspicious native execution phase" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application transitions from managed code into JNI/native function execution or attaches native thread to runtime during the execution phase" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Existing application is replaced, updated, or reinstalled and the resulting package metadata, code sections, or executable-supporting artifacts diverge from known-good baseline during the persistence-establishment phase" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application invokes SMS send, intercept, delete, or provider-write behavior, including handling SMS_DELIVER or interacting with SMS content provider during unauthorized message-control phase" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application enqueues WorkManager work request or schedules JobScheduler or AlarmManager task with delay, periodic interval, or execution constraints during the persistence/execution setup phase" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application creates or executes NSBackgroundActivityScheduler activity with repeating or deferred invocation semantics during the scheduling and trigger phases" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application initializes proxy-capable or raw-socket networking constructs, including SOCKS-capable Proxy API usage or direct socket listener/setup immediately before traffic relay phase" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application invokes call placement, answer, redirect, block, screening, or ConnectionService call-handling APIs during unauthorized call-control phase" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application process loads external code modules or injects into runtime (zygote/app_process) + abnormal library loading or method interception behavior" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application registers broadcast receiver, WorkManager job, JobScheduler task, or intent filter tied to system event such as BOOT_COMPLETED, SMS_RECEIVED, CONNECTIVITY_CHANGE during persistence setup phase" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application registers or invokes broadcast receiver via registerReceiver() or manifest-declared receiver + intent filter tied to system or app events" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application launches or executes code where loaded library or component path does not match application package path or expected signing context" + }, + { + "name": "MobileEDR:telemetry", + "channel": "multiple applications invoking core system APIs (e.g., sensor, permission, telephony) with abnormal or inconsistent return values across apps within short interval" + }, + { + "name": "MobileEDR:telemetry", + "channel": "device integrity degradation + root detected or system partition modification affecting runtime libraries (e.g., /system/lib*, /vendor/lib*)" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application invokes privileged framework APIs (Accessibility events, UI automation, package install flows) immediately following permission grant" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application invokes DevicePolicyManager APIs (e.g., resetPassword, lockNow, setCameraDisabled) immediately following admin activation" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application queries target-selection attributes (e.g., location, SIM/operator, locale, device state, network identity) and then conditionally invokes sensitive framework APIs only after expected value is observed" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application exhibits repeated environment-context evaluation followed by delayed privileged framework use only after target-specific match" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application invokes geolocation or geofencing framework operations (e.g., location polling or geofence registration/evaluation) and sensitive framework activity begins only after region match or location threshold condition" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application exhibits repeated location-context evaluation followed by delayed privileged framework use or feature activation only after target region match" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application invokes package or component state changes affecting launcher-facing activity availability and subsequently continues operational framework activity after icon suppression" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application invokes motion-sensor or device-activity framework operations followed by conditional execution of sensitive framework activity only after inferred user absence" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application invokes system framework operations that alter monitoring, accessibility, or execution visibility followed by reduction in expected telemetry generation" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application invokes accessibility global actions (back/home/recents) or observes package-management UI immediately after uninstall/settings screen becomes foreground" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application invokes lock-related or UI-denial framework operations, including DevicePolicyManager lock actions, persistent overlay behavior, or accessibility-driven navigation interference immediately before device enters locked or unusable state" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application invokes package, settings, or privileged framework operations capable of disabling security software, altering security enforcement, or interfering with reporting before telemetry loss" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application invokes uninstall-related package-management operations, accessibility-driven uninstall confirmation actions, or privileged file-removal operations immediately before installed-state loss" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application invokes file-management, package, storage, or administrative wipe operations immediately before loss of expected local files or file collections" } ] }, @@ -18952,221 +21454,110 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-24T19:46:47.171Z", "name": "Application Log Content", "description": "Application Log Content refers to logs generated by applications or services, providing a record of their activity. These logs may include metrics, errors, performance data, and operational alerts from web, mail, or other applications. These logs are vital for monitoring application behavior and detecting malicious activities or anomalies. Examples: \n\n- Web Application Logs: These logs include information about requests, responses, errors, and security events (e.g., unauthorized access attempts).\n- Email Application Logs: Logs contain metadata about emails sent, received, or blocked (e.g., sender/receiver addresses, message IDs).\n- SaaS Application Logs: Activity logs include user logins, configuration changes, and access to sensitive resources.\n- Cloud Application Logs: Logs detail control plane activities, including API calls, instance modifications, and network changes.\n- System/Application Monitoring Logs: Logs provide insights into application performance, errors, and anomalies.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", - "enterprise-attack" + "enterprise-attack", + "mobile-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ + { + "name": "android:logcat", + "channel": "Default IME active or bound to (InputMethodManager reports imeId=)" + }, + { + "name": "android:logcat", + "channel": "Default IME changed/active: imeId=, onStartInput/onFinishInput high frequency. TYPE_APPLICATION_OVERLAY|addView .* showing on top of package " + }, + { + "name": "android:logcat", + "channel": "Default IME active imeId=; frequent onStartInput/commitText calls" + }, + { + "name": "android:logcat", + "channel": "addView TYPE_APPLICATION_OVERLAY|TYPE_APPLICATION_ATTACHED_DIALOG shown over " + }, + { + "name": "android:logcat", + "channel": "Secure/Global reads of device_policy_manager, accessibility_enabled, default_vpn, always_on_vpn" + }, + { + "name": "android:logcat", + "channel": "Task switch from browser/custom tab to handler immediately after OAuth return" + }, + { + "name": "android:logcat", + "channel": "ACTION_OPEN_DOCUMENT_TREE / ACTION_OPEN_DOCUMENT invoked without user gesture or repeatedly in background" + }, { "name": "Application Log", "channel": "None" }, - { - "name": "WinEventLog:Application", - "channel": "Outlook errors loading or processing custom form templates" - }, - { - "name": "m365:unified", - "channel": "Unusual form activity within Outlook client, including load of non-default forms" - }, - { - "name": "saas:okta", - "channel": "Conditional Access policy rule modified or MFA requirement disabled" - }, - { - "name": "ApplicationLog:EntraIDPortal", - "channel": "DeviceRegistration events" - }, - { - "name": "ApplicationLog:Intune/MDM Logs", - "channel": "Enrollment events (e.g., MDMDeviceRegistration)" - }, - { - "name": "m365:purview", - "channel": "MailItemsAccessed & Exchange Audit" - }, - { - "name": "m365:purview", - "channel": "MailItemsAccessed, Search-Mailbox events" - }, - { - "name": "WinEventLog:Application", - "channel": "Office Add-in load errors, abnormal loading context, or unsigned add-in warnings" - }, - { - "name": "m365:unified", - "channel": "SendOnBehalf, MessageSend, ClickThrough, MailItemsAccessed" - }, { "name": "Application:Mail", "channel": "smtpd$.*$: .*from=[.*@internaldomain.com](mailto:.*@internaldomain.com) to=[.*@internaldomain.com](mailto:.*@internaldomain.com)" }, - { - "name": "saas:slack", - "channel": "file_upload, message_send, message_click" - }, - { - "name": "saas:teams", - "channel": "ChatMessageSent, ChatMessageEdited, LinkClick" - }, - { - "name": "saas:gmail", - "channel": "SendEmail, OpenAttachment, ClickLink" - }, - { - "name": "m365:unified", - "channel": "SendOnBehalf, MessageSend, AttachmentPreviewed" - }, - { - "name": "WinEventLog:System", - "channel": "Changes to applicationhost.config or DLLs loaded by w3wp.exe" - }, - { - "name": "WinEventLog:Security", - "channel": "EventCode=6416" - }, - { - "name": "WinEventLog:System", - "channel": "Device started/installed (UMDF) GUIDs" - }, - { - "name": "linux:syslog", - "channel": "usb * new|thunderbolt|pci .* added|block.*: new .* device" - }, - { - "name": "macos:unifiedlog", - "channel": "Device attached|enumerated VID/PID" - }, - { - "name": "m365:unified", - "channel": "Send/Receive: Emails with suspicious sender domains, spoofed headers, or anomalous attachment types" - }, { "name": "Application:Mail", "channel": "Inbound messages with anomalous headers, spoofed SPF/DKIM failures" }, - { - "name": "macos:unifiedlog", - "channel": "Inbound email activity with suspicious domains or mismatched sender information" - }, - { - "name": "m365:unified", - "channel": "FileAccessed: Access of email attachments by Office applications" - }, - { - "name": "saas:collaboration", - "channel": "MessagePosted: Suspicious links or attachment delivery via collaboration tools (Slack, Teams, Zoom)" - }, - { - "name": "ApplicationLog:IIS", - "channel": "IIS W3C logs in C:\\inetpub\\logs\\LogFiles\\W3SVC* (spikes in 5xx, RCE/SQLi/path traversal/JNDI patterns)" - }, - { - "name": "ApplicationLog:WebServer", - "channel": "/var/log/httpd/access_log, /var/log/apache2/access.log, /var/log/nginx/access.log with exploit indicators and burst errors" - }, - { - "name": "macos:unifiedlog", - "channel": "App/web server logs ingested via unified logging or filebeat (nginx/apache/node)." - }, - { - "name": "ApplicationLog:Ingress", - "channel": "Kubernetes NGINX/Envoy ingress controller logs with anomalous payloads and 5xx spikes" - }, - { - "name": "esxi:hostd", - "channel": "/var/log/hostd.log anomalies (faults, crashes, restarts) around inbound connections" - }, - { - "name": "esxi:vmkernel", - "channel": "vmkernel / OpenSLP logs for malformed requests" - }, - { - "name": "networkdevice:controlplane", - "channel": "Syslog from edge devices with HTTP 500s on mgmt portal, SmartInstall events, unexpected CLI commands" - }, - { - "name": "WinEventLog:Application", - "channel": "Outlook rule execution failure or abnormal rule execution context" - }, - { - "name": "m365:unified", - "channel": "Creation or modification of inbox rule outside of normal user behavior" - }, - { - "name": "m365:unified", - "channel": "Send/Receive: Inbound emails containing embedded or shortened URLs" - }, { "name": "Application:Mail", "channel": "Inbound emails containing hyperlinks from suspicious sources" }, { - "name": "macos:unifiedlog", - "channel": "Received messages with embedded or shortened URLs" + "name": "Application:Mail", + "channel": "Inbound email attachments logged from MTAs with suspicious metadata" }, { - "name": "azure:signinlogs", - "channel": "ConsentGrant: Suspicious consent grants to non-approved or unknown applications" + "name": "Application:Mail", + "channel": "Mismatch between authenticated username and From header in email" }, { - "name": "m365:unified", - "channel": "AppRegistration: Unexpected application registration or OAuth authorization" + "name": "Application:Mail", + "channel": "High-frequency inbound mail activity to a specific recipient address" }, { - "name": "m365:unified", - "channel": "MessageSend, MessageRead, or FileAttached events containing credential-like patterns" + "name": "ApplicationLog:API", + "channel": "Docker/Kubernetes API access from external sources" }, { - "name": "m365:exchange", - "channel": "Emails containing cleartext secrets (password=, api_key=, token=) shared across internal/external domains" + "name": "ApplicationLog:CallRecords", + "channel": "Outbound or inbound calls to high-risk or blocklisted numbers" }, { - "name": "saas:slack", - "channel": "chat.postMessage, files.upload, or discovery API calls involving token/credential regex" + "name": "ApplicationLog:EntraIDPortal", + "channel": "DeviceRegistration events" }, { - "name": "linux:syslog", - "channel": "Inbound messages from webmail services containing attachments or URLs" + "name": "ApplicationLog:IIS", + "channel": "IIS W3C logs in C:\\inetpub\\logs\\LogFiles\\W3SVC* (spikes in 5xx, RCE/SQLi/path traversal/JNDI patterns)" }, { - "name": "macos:unifiedlog", - "channel": "Received messages containing embedded links or attachments from non-enterprise services" + "name": "ApplicationLog:Ingress", + "channel": "Kubernetes NGINX/Envoy ingress controller logs with anomalous payloads and 5xx spikes" }, { - "name": "WinEventLog:System", - "channel": "EventCode=1000" + "name": "ApplicationLog:Intune/MDM Logs", + "channel": "Enrollment events (e.g., MDMDeviceRegistration)" }, { - "name": "linux:syslog", - "channel": "kernel|systemd messages indicating 'segmentation fault'|'core dumped'|'service terminated unexpectedly' for sshd, smbd, vsftpd, mysqld, httpd, etc." + "name": "ApplicationLog:MailServer", + "channel": "Unexpected additions of sieve rules or filtering directives" }, { - "name": "esxi:hostd", - "channel": "Keywords: 'Backtrace','Signal 11','PANIC','hostd restarted','assert' or 'Service terminated unexpectedly' in /var/log/hostd.log, /var/log/vmkernel.log, /var/log/syslog.log." + "name": "ApplicationLog:Outlook", + "channel": "Outlook client-level rule creation actions not consistent with normal user activity" }, { - "name": "macos:unifiedlog", - "channel": "process 'crashed'|'EXC_BAD_ACCESS' for sshd, screensharingd, httpd; launchd restarts of these daemons." - }, - { - "name": "esxi:hostd", - "channel": "unexpected script/command invocations via hostd" - }, - { - "name": "linux:syslog", - "channel": "System daemons initiating encrypted sessions with unexpected destinations" - }, - { - "name": "esxi:vpxd", - "channel": "Symmetric crypto routines triggered for external session" + "name": "ApplicationLog:WebServer", + "channel": "/var/log/httpd/access_log, /var/log/apache2/access.log, /var/log/nginx/access.log with exploit indicators and burst errors" }, { "name": "AWS:CloudTrail", @@ -19177,228 +21568,248 @@ "channel": "InvokeModel" }, { - "name": "saas:openai", - "channel": "High volume of requests to /v1/chat/completions or /v1/images/generations" + "name": "AWS:CloudTrail", + "channel": "InvokeFunction: Unexpected or repeated invocation of functions not tied to known workflows" }, { - "name": "m365:unified", - "channel": "Set-Mailbox, Add-InboxRule, RegisterWebhook" + "name": "AWS:CloudTrail", + "channel": "CreateUser|AttachRolePolicy|CreateAccessKey|UpdateAssumeRolePolicy|CreateLoginProfile" }, { - "name": "saas:application", - "channel": "High-frequency invocation of SMS-related API endpoints from publicly accessible OTP or verification forms (e.g., Twilio: SendMessage, Cognito: AdminCreateUser) with irregular destination patterns." + "name": "AWS:CloudTrail", + "channel": "StopLogging, DeleteTrail, UpdateTrail: API calls that disable or modify logging services" }, { - "name": "NSM:Connections", - "channel": "PushNotificationSent" + "name": "AWS:CloudWatch", + "channel": "Repeated crash pattern within container or instance logs" }, { - "name": "saas:okta", - "channel": "MFAChallengeIssued" + "name": "AWS:CloudWatch", + "channel": "Elevated 5xx response rates in application logs or gateway layer" }, { - "name": "WinEventLog:Application", - "channel": "Exchange Transport Service loads unusual .NET assembly or errors upon transport agent execution" + "name": "azure:activity", + "channel": "Add role assignment / ElevateAccess / Create service principal" }, { - "name": "linux:syslog", - "channel": "milter configuration updated, transport rule initialized, unexpected script execution" + "name": "azure:audit", + "channel": "App registrations or consent grants by abnormal users or at unusual times" }, { - "name": "WinEventLog:Application", - "channel": "Unexpected spikes in request volume, application-level errors, or thread pool exhaustion in web or API logs" - }, - { - "name": "linux:syslog", - "channel": "Repetitive HTTP 408, 500, or 503 errors logged within short timeframe" - }, - { - "name": "macos:unifiedlog", - "channel": "opendirectoryd crashes or abnormal authentication errors" - }, - { - "name": "m365:unified", - "channel": "ConsentGranted: Abuse of application integrations to mint tokens bypassing MFA" - }, - { - "name": "WinEventLog:Application", - "channel": "Browser or plugin/application logs showing script errors, plugin enumerations, or unusual extension load events" - }, - { - "name": "linux:syslog", - "channel": "Application or browser logs (webview errors, plugin enumerations) indicating suspicious script evaluation or plugin loads" - }, - { - "name": "macos:unifiedlog", - "channel": "Logs from unifiedlogging that show browser crashes, plugin enumerations, extension installs or errors around the same time as suspicious network fetches" - }, - { - "name": "m365:unified", - "channel": "Application Consent grants, new OAuth client registrations, or unusual admin-level activities executed by a user account shortly after suspected drive-by compromise" - }, - { - "name": "WinEventLog:Application", - "channel": "Outlook logs indicating failure to load or render HTML page in Home Page view" - }, - { - "name": "m365:unified", - "channel": "Folder configuration updated with external or HTML-formatted Home Page via Set-MailboxFolder" - }, - { - "name": "WinEventLog:Security", - "channel": "EventCode=1102" - }, - { - "name": "linux:cli", - "channel": "cleared or truncated .bash_history" - }, - { - "name": "macos:unifiedlog", - "channel": "log stream cleared or truncated" - }, - { - "name": "m365:unified", - "channel": "PurgeAuditLogs, Remove-MailboxAuditLog" - }, - { - "name": "WinEventLog:System", - "channel": "EventCode=104" - }, - { - "name": "WinEventLog:Application", - "channel": "EventCode=1000" - }, - { - "name": "EDR:detection", - "channel": "ThreatDetected, QuarantineLog" - }, - { - "name": "macos:unifiedlog", - "channel": "quarantine or AV-related subsystem" - }, - { - "name": "EDR:detection", - "channel": "ThreatLog" + "name": "azure:signinlogs", + "channel": "ConsentGrant: Suspicious consent grants to non-approved or unknown applications" }, { "name": "azure:signinlogs", "channel": "Modify Conditional Access Policy" }, { - "name": "m365:unified", - "channel": "Set-CsOnlineUser or UpdateAuthPolicy" + "name": "azure:signinlogs", + "channel": "Register PTA Agent or Modify AD FS trust" }, { - "name": "m365:unified", - "channel": "New-InboxRule or Set-InboxRule events recorded in Exchange Online" - }, - { - "name": "ApplicationLog:MailServer", - "channel": "Unexpected additions of sieve rules or filtering directives" - }, - { - "name": "m365:unified", - "channel": "Transport rule or inbox rule creation events" - }, - { - "name": "ApplicationLog:Outlook", - "channel": "Outlook client-level rule creation actions not consistent with normal user activity" - }, - { - "name": "kubernetes:orchestrator", - "channel": "Access to orchestrator logs containing credentials (Docker/Kubernetes logs)" - }, - { - "name": "WinEventLog:Application", - "channel": "Service crash, unhandled exception, or application hang warnings for critical services (e.g., IIS, DNS, SQL Server)" - }, - { - "name": "journald:systemd", - "channel": "Repeated service restart attempts or unit failures" - }, - { - "name": "macos:unifiedlog", - "channel": "Repeated process crashes logged by CrashReporter or system instability logs in com.apple.console" - }, - { - "name": "docker:events", - "channel": "Container exited with non-zero code repeatedly in short period" - }, - { - "name": "WinEventLog:Application", - "channel": "SCCM, Intune logs" - }, - { - "name": "macos:jamf", - "channel": "RemoteCommandExecution" - }, - { - "name": "networkdevice:syslog", - "channel": "config push events" - }, - { - "name": "linux:syslog", - "channel": "processes binding to non-standard ports or sshd configured on unexpected port" - }, - { - "name": "m365:unified", - "channel": "GAL Lookup or Address Book download" - }, - { - "name": "esxi:hostd", - "channel": "Guest Operations API invocation: StartProgramInGuest, ListProcessesInGuest, ListFileInGuest, InitiateFileTransferFromGuest" - }, - { - "name": "m365:unified", - "channel": "Send/Receive: Inbound emails with attachments from suspicious or spoofed senders" - }, - { - "name": "Application:Mail", - "channel": "Inbound email attachments logged from MTAs with suspicious metadata" - }, - { - "name": "macos:unifiedlog", - "channel": "Inbound messages with attachments from suspicious domains" - }, - { - "name": "WinEventLog:Application", - "channel": "Unexpected web application errors or CMS logs showing modification to index.html, default.aspx, or other public-facing files" - }, - { - "name": "m365:unified", - "channel": "certificate added or modified in application credentials" - }, - { - "name": "saas:Snowflake", - "channel": "QUERY: Large or repeated SELECT * queries to sensitive tables" - }, - { - "name": "saas:Airtable", - "channel": "EXPORT: User-triggered data export via GUI or API" - }, - { - "name": "ApplicationLog:CallRecords", - "channel": "Outbound or inbound calls to high-risk or blocklisted numbers" - }, - { - "name": "networkdevice:syslog", - "channel": "SIP REGISTER, INVITE, or unusual call destination metadata" - }, - { - "name": "macos:unifiedlog", - "channel": "Outgoing or incoming calls with non-standard caller IDs or unusual metadata" - }, - { - "name": "m365:unified", - "channel": "Unusual MFA requests or OAuth consent events temporally aligned with user-reported vishing call" + "name": "azure:signinlogs", + "channel": "Resource access initiated using application credentials, not user accounts" }, { "name": "docker:daemon", "channel": "container_create,container_start" }, { - "name": "saas:github", - "channel": "Bulk access to multiple files or large volume of repo requests within short time window" + "name": "docker:events", + "channel": "Container exited with non-zero code repeatedly in short period" + }, + { + "name": "docker:runtime", + "channel": "execution of cloud CLI tool (e.g., aws, az) inside container" + }, + { + "name": "EDR:detection", + "channel": "ThreatDetected, QuarantineLog" + }, + { + "name": "EDR:detection", + "channel": "ThreatLog" + }, + { + "name": "esxi:esxupdate", + "channel": "/var/log/esxupdate.log contains VIB installed with `--force` or `--no-sig-check` and non-standard acceptance levels" + }, + { + "name": "esxi:hostd", + "channel": "/var/log/hostd.log anomalies (faults, crashes, restarts) around inbound connections" + }, + { + "name": "esxi:hostd", + "channel": "Keywords: 'Backtrace','Signal 11','PANIC','hostd restarted','assert' or 'Service terminated unexpectedly' in /var/log/hostd.log, /var/log/vmkernel.log, /var/log/syslog.log." + }, + { + "name": "esxi:hostd", + "channel": "unexpected script/command invocations via hostd" + }, + { + "name": "esxi:hostd", + "channel": "Guest Operations API invocation: StartProgramInGuest, ListProcessesInGuest, ListFileInGuest, InitiateFileTransferFromGuest" + }, + { + "name": "esxi:hostd", + "channel": "unexpected script invocations producing long encoded strings" + }, + { + "name": "esxi:hostd", + "channel": "Host daemon command log entries related to vib enumeration" + }, + { + "name": "esxi:hostd", + "channel": "New extension/module install with unknown vendor ID" + }, + { + "name": "esxi:vmkernel", + "channel": "vmkernel / OpenSLP logs for malformed requests" + }, + { + "name": "esxi:vpxd", + "channel": "Symmetric crypto routines triggered for external session" + }, + { + "name": "esxi:vpxd", + "channel": "ESXi process initiating asymmetric handshake with external host" + }, + { + "name": "gcp:workspaceaudit", + "channel": "SendAs: Outbound messages with alias identities that differ from primary account" + }, + { + "name": "iOS:unifiedlog", + "channel": "Repeated or large UIPasteboard reads; background pasteboard access shortly before packaging" + }, + { + "name": "iOS:unifiedlog", + "channel": "UIPasteboard read (general/string/data) by ; repeated reads or background access" + }, + { + "name": "iOS:unifiedlog", + "channel": "UIWindow/UIView events indicating secure text entry focus, editingChanged bursts, unexpected firstResponder cycling" + }, + { + "name": "iOS:unifiedlog", + "channel": "Secure text entry focus and editingChanged bursts not typical for the app" + }, + { + "name": "iOS:unifiedlog", + "channel": "Presentation of credential-like view (UIAlertController with text fields / custom modal) not backed by system auth controller; frequent editingChanged in secureTextEntry fields" + }, + { + "name": "iOS:unifiedlog", + "channel": "Repeated canOpenURL checks across diverse schemes (\u2265N within short window)" + }, + { + "name": "iOS:unifiedlog", + "channel": "UIDocumentPickerViewController presented repeatedly without foreground interaction or with short dwell time" + }, + { + "name": "iOS:unifiedlog", + "channel": "repeated sandbox denials related to restricted process/system interfaces consistent with process-table querying attempts" + }, + { + "name": "iOS:unifiedlog", + "channel": "security-relevant kernel log messages indicating restricted system interface access attempts by app process (device-dependent visibility)" + }, + { + "name": "journald:Application", + "channel": "Segfault or crash log entry associated with specific application binary" + }, + { + "name": "journald:systemd", + "channel": "Repeated service restart attempts or unit failures" + }, + { + "name": "kubernetes:orchestrator", + "channel": "Access to orchestrator logs containing credentials (Docker/Kubernetes logs)" + }, + { + "name": "linux:cli", + "channel": "cleared or truncated .bash_history" + }, + { + "name": "linux:syslog", + "channel": "usb * new|thunderbolt|pci .* added|block.*: new .* device" + }, + { + "name": "linux:syslog", + "channel": "Inbound messages from webmail services containing attachments or URLs" + }, + { + "name": "linux:syslog", + "channel": "kernel|systemd messages indicating 'segmentation fault'|'core dumped'|'service terminated unexpectedly' for sshd, smbd, vsftpd, mysqld, httpd, etc." + }, + { + "name": "linux:syslog", + "channel": "System daemons initiating encrypted sessions with unexpected destinations" + }, + { + "name": "linux:syslog", + "channel": "milter configuration updated, transport rule initialized, unexpected script execution" + }, + { + "name": "linux:syslog", + "channel": "Repetitive HTTP 408, 500, or 503 errors logged within short timeframe" + }, + { + "name": "linux:syslog", + "channel": "Application or browser logs (webview errors, plugin enumerations) indicating suspicious script evaluation or plugin loads" + }, + { + "name": "linux:syslog", + "channel": "processes binding to non-standard ports or sshd configured on unexpected port" + }, + { + "name": "linux:syslog", + "channel": "system daemons initiating TLS sessions outside expected services" + }, + { + "name": "linux:syslog", + "channel": "browser/office crash, segfault, abnormal termination" + }, + { + "name": "linux:syslog", + "channel": "Error/warning logs from services indicating load spike or worker exhaustion" + }, + { + "name": "linux:syslog", + "channel": "SPF fail OR DKIM fail OR DMARC fail OR mismatched from_domain vs return_path_domain" + }, + { + "name": "linux:syslog", + "channel": "suspicious DHCP lease assignment with unexpected DNS or gateway" + }, + { + "name": "linux:syslog", + "channel": "opened document|clicked link|segfault|abnormal termination|sandbox" + }, + { + "name": "linux:syslog", + "channel": "Authentication attempts into finance-related servers from unusual IPs or times" + }, + { + "name": "linux:syslog", + "channel": "sshd sessions with unusual port forwarding parameters" + }, + { + "name": "linux:syslog", + "channel": "Non-standard processes negotiating SSL/TLS key exchanges" + }, + { + "name": "linux:syslog", + "channel": "Module registration or stacktrace logs indicating segmentation faults or unknown module errors" + }, + { + "name": "linux:syslog", + "channel": "Segfaults, kernel oops, or crashes in security software processes" + }, + { + "name": "m365:exchange", + "channel": "Emails containing cleartext secrets (password=, api_key=, token=) shared across internal/external domains" }, { "name": "m365:exchange", @@ -19409,33 +21820,137 @@ "channel": "Admin Audit Logs, Transport Rules" }, { - "name": "saas:application", - "channel": "High-volume API calls or traffic via messaging or webhook service" + "name": "m365:exchange", + "channel": "MailDelivery: High-frequency delivery of messages or attachments to a single recipient" + }, + { + "name": "m365:exchange", + "channel": "New-InboxRule: Automation that triggers abnormal forwarding or external link generation" + }, + { + "name": "m365:exchange", + "channel": "MessageTrace logs" + }, + { + "name": "m365:exchange", + "channel": "External sender message followed by user action involving links or attachments" + }, + { + "name": "m365:mailboxaudit", + "channel": "Outlook rule creation or custom form deployment" + }, + { + "name": "m365:messagetrace", + "channel": "AuthenticationDetails=fail OR SPF=fail OR DKIM=fail OR DMARC=fail" + }, + { + "name": "m365:messagetrace", + "channel": "X-MS-Exchange-Organization-AutoForwarded" + }, + { + "name": "m365:purview", + "channel": "MailItemsAccessed & Exchange Audit" + }, + { + "name": "m365:purview", + "channel": "MailItemsAccessed, Search-Mailbox events" + }, + { + "name": "m365:teams", + "channel": "External chat request or new tenant communication preceding approval activity" + }, + { + "name": "m365:unified", + "channel": "Unusual form activity within Outlook client, including load of non-default forms" + }, + { + "name": "m365:unified", + "channel": "SendOnBehalf, MessageSend, ClickThrough, MailItemsAccessed" + }, + { + "name": "m365:unified", + "channel": "SendOnBehalf, MessageSend, AttachmentPreviewed" + }, + { + "name": "m365:unified", + "channel": "Send/Receive: Emails with suspicious sender domains, spoofed headers, or anomalous attachment types" + }, + { + "name": "m365:unified", + "channel": "FileAccessed: Access of email attachments by Office applications" + }, + { + "name": "m365:unified", + "channel": "Creation or modification of inbox rule outside of normal user behavior" + }, + { + "name": "m365:unified", + "channel": "Send/Receive: Inbound emails containing embedded or shortened URLs" + }, + { + "name": "m365:unified", + "channel": "AppRegistration: Unexpected application registration or OAuth authorization" + }, + { + "name": "m365:unified", + "channel": "MessageSend, MessageRead, or FileAttached events containing credential-like patterns" + }, + { + "name": "m365:unified", + "channel": "Set-Mailbox, Add-InboxRule, RegisterWebhook" + }, + { + "name": "m365:unified", + "channel": "ConsentGranted: Abuse of application integrations to mint tokens bypassing MFA" + }, + { + "name": "m365:unified", + "channel": "Application Consent grants, new OAuth client registrations, or unusual admin-level activities executed by a user account shortly after suspected drive-by compromise" + }, + { + "name": "m365:unified", + "channel": "Folder configuration updated with external or HTML-formatted Home Page via Set-MailboxFolder" + }, + { + "name": "m365:unified", + "channel": "PurgeAuditLogs, Remove-MailboxAuditLog" + }, + { + "name": "m365:unified", + "channel": "Set-CsOnlineUser or UpdateAuthPolicy" + }, + { + "name": "m365:unified", + "channel": "New-InboxRule or Set-InboxRule events recorded in Exchange Online" + }, + { + "name": "m365:unified", + "channel": "Transport rule or inbox rule creation events" + }, + { + "name": "m365:unified", + "channel": "GAL Lookup or Address Book download" + }, + { + "name": "m365:unified", + "channel": "Send/Receive: Inbound emails with attachments from suspicious or spoofed senders" + }, + { + "name": "m365:unified", + "channel": "certificate added or modified in application credentials" + }, + { + "name": "m365:unified", + "channel": "Unusual MFA requests or OAuth consent events temporally aligned with user-reported vishing call" }, { "name": "m365:unified", "channel": "Set federation settings on domain|Set domain authentication|Add federated identity provider" }, - { - "name": "linux:syslog", - "channel": "system daemons initiating TLS sessions outside expected services" - }, { "name": "m365:unified", "channel": "SendOnBehalf/SendAs: Emails sent where the sending identity mismatches account ownership" }, - { - "name": "Application:Mail", - "channel": "Mismatch between authenticated username and From header in email" - }, - { - "name": "macos:unifiedlog", - "channel": "Mail.app or third-party clients sending messages with mismatched From headers" - }, - { - "name": "gcp:workspaceaudit", - "channel": "SendAs: Outbound messages with alias identities that differ from primary account" - }, { "name": "m365:unified", "channel": "Set-MailboxAutoReplyConfiguration: Unexpected rule changes creating impersonated replies" @@ -19444,242 +21959,34 @@ "name": "m365:unified", "channel": "SendOnBehalf/SendAs: Office Suite initiated messages using impersonated identities" }, - { - "name": "linux:syslog", - "channel": "browser/office crash, segfault, abnormal termination" - }, - { - "name": "macos:unifiedlog", - "channel": "process crash, abort, code signing violations" - }, - { - "name": "saas:okta", - "channel": "WebUI access to administrator dashboard" - }, { "name": "m365:unified", "channel": "Read-only configuration review from GUI" }, - { - "name": "saas:box", - "channel": "User navigated to admin interface" - }, - { - "name": "azure:signinlogs", - "channel": "Register PTA Agent or Modify AD FS trust" - }, { "name": "m365:unified", "channel": "Modify Federation Settings or Update Authentication Policy" }, - { - "name": "saas:okta", - "channel": "Federation configuration update or signing certificate change" - }, - { - "name": "macos:unifiedlog", - "channel": "Configuration profile modified or new profile installed" - }, - { - "name": "journald:Application", - "channel": "Segfault or crash log entry associated with specific application binary" - }, - { - "name": "macos:unifiedlog", - "channel": "Crash log entries for a process receiving malformed input or known exploit patterns" - }, - { - "name": "AWS:CloudWatch", - "channel": "Repeated crash pattern within container or instance logs" - }, - { - "name": "esxi:hostd", - "channel": "unexpected script invocations producing long encoded strings" - }, - { - "name": "docker:runtime", - "channel": "execution of cloud CLI tool (e.g., aws, az) inside container" - }, - { - "name": "WinEventLog:Application", - "channel": "VPN, Citrix, or remote access gateway logs showing external IP addresses" - }, - { - "name": "NSM:Connections", - "channel": "Failed password or accepted password for SSH users" - }, - { - "name": "ApplicationLog:API", - "channel": "Docker/Kubernetes API access from external sources" - }, { "name": "m365:unified", "channel": "Send/Receive: Unusual spikes in inbound messages to a single recipient" }, - { - "name": "Application:Mail", - "channel": "High-frequency inbound mail activity to a specific recipient address" - }, - { - "name": "m365:exchange", - "channel": "MailDelivery: High-frequency delivery of messages or attachments to a single recipient" - }, - { - "name": "macos:unifiedlog", - "channel": "Repetitive inbound email delivery activity logged within a short time window" - }, - { - "name": "saas:confluence", - "channel": "access.content" - }, { "name": "m365:unified", "channel": "PowerShell: Add-MailboxPermission" }, - { - "name": "AWS:CloudTrail", - "channel": "InvokeFunction: Unexpected or repeated invocation of functions not tied to known workflows" - }, - { - "name": "m365:exchange", - "channel": "New-InboxRule: Automation that triggers abnormal forwarding or external link generation" - }, - { - "name": "saas:googledrive", - "channel": "FileOpen / FileAccess: Event-driven script triggering on user file actions" - }, - { - "name": "networkdevice:syslog", - "channel": "Failed authentication requests redirected to non-standard portals" - }, - { - "name": "saas:okta", - "channel": "System API Call: user.read, group.read" - }, - { - "name": "esxi:hostd", - "channel": "Host daemon command log entries related to vib enumeration" - }, { "name": "m365:unified", "channel": "Add-MailboxPermission or Set-ManagementRoleAssignment" }, - { - "name": "WinEventLog:Application", - "channel": "Outlook rule creation, form load, or homepage redirection" - }, - { - "name": "m365:mailboxaudit", - "channel": "Outlook rule creation or custom form deployment" - }, - { - "name": "saas:zoom", - "channel": "unusual web session tokens and automation patterns during login" - }, - { - "name": "WinEventLog:Application", - "channel": "High-frequency errors or hangs from resource-intensive application components (e.g., .NET, IIS, Office Suite)" - }, - { - "name": "linux:syslog", - "channel": "Error/warning logs from services indicating load spike or worker exhaustion" - }, - { - "name": "macos:unifiedlog", - "channel": "Application errors or resource contention from excessive frontend or script invocation" - }, - { - "name": "AWS:CloudWatch", - "channel": "Elevated 5xx response rates in application logs or gateway layer" - }, - { - "name": "m365:messagetrace", - "channel": "AuthenticationDetails=fail OR SPF=fail OR DKIM=fail OR DMARC=fail" - }, - { - "name": "linux:syslog", - "channel": "SPF fail OR DKIM fail OR DMARC fail OR mismatched from_domain vs return_path_domain" - }, - { - "name": "macos:unifiedlog", - "channel": "SPF fail OR DKIM fail OR DMARC fail OR mismatched header vs envelope domains" - }, - { - "name": "saas:email", - "channel": "AuthenticationFailures (SPF/DKIM/DMARC) OR Domain Mismatch" - }, - { - "name": "WinEventLog:System", - "channel": "EventCode=1341, 1342, 1020, 1063" - }, - { - "name": "linux:syslog", - "channel": "suspicious DHCP lease assignment with unexpected DNS or gateway" - }, - { - "name": "macos:unifiedlog", - "channel": "new DHCP configuration with anomalous DNS or router values" - }, - { - "name": "WinEventLog:Application", - "channel": "Exchange logs or header artifacts" - }, - { - "name": "macos:unifiedlog", - "channel": "Mail or AppleScript subsystem" - }, - { - "name": "m365:exchange", - "channel": "MessageTrace logs" - }, - { - "name": "linux:syslog", - "channel": "opened document|clicked link|segfault|abnormal termination|sandbox" - }, - { - "name": "macos:unifiedlog", - "channel": "opened document|clicked link|EXC_BAD_ACCESS|abort|LSQuarantine" - }, - { - "name": "WinEventLog:Security", - "channel": "EventCode=4663, 4670, 4656" - }, { "name": "m365:unified", "channel": "Set-PartnerOfRecord / CompanyAdministrator role assignments / New-DelegatedAdminRelationship" }, - { - "name": "AWS:CloudTrail", - "channel": "CreateUser|AttachRolePolicy|CreateAccessKey|UpdateAssumeRolePolicy|CreateLoginProfile" - }, - { - "name": "azure:activity", - "channel": "Add role assignment / ElevateAccess / Create service principal" - }, - { - "name": "saas:googleworkspace", - "channel": "OAuth2 authorization grants / Admin role assignments" - }, { "name": "m365:unified", "channel": "Add-DelegatedAdmin, Set-PartnerOfRecord, Add-MailboxPermission, Set-OrganizationRelationship" }, - { - "name": "linux:syslog", - "channel": "Authentication attempts into finance-related servers from unusual IPs or times" - }, - { - "name": "macos:unifiedlog", - "channel": "Anomalous keychain access attempts targeting payment credentials" - }, - { - "name": "saas:finance", - "channel": "Transaction/Transfer: Unusual or large transactions initiated outside business hours or by unusual accounts" - }, - { - "name": "saas:audit", - "channel": "Rule/ConfigChange: Auto-forward rules, delegate assignments, or changes to financial approval workflows" - }, { "name": "m365:unified", "channel": "MailSend: Outlook messages with suspicious subject/body terms (e.g., urgent payment, wire transfer) targeting finance teams" @@ -19696,66 +22003,10 @@ "name": "m365:unified", "channel": "RunMacro" }, - { - "name": "azure:audit", - "channel": "App registrations or consent grants by abnormal users or at unusual times" - }, - { - "name": "azure:signinlogs", - "channel": "Resource access initiated using application credentials, not user accounts" - }, - { - "name": "saas:slack", - "channel": "OAuth token use by unknown app client_id accessing private channels or files" - }, - { - "name": "esxi:esxupdate", - "channel": "/var/log/esxupdate.log contains VIB installed with `--force` or `--no-sig-check` and non-standard acceptance levels" - }, - { - "name": "linux:syslog", - "channel": "sshd sessions with unusual port forwarding parameters" - }, - { - "name": "saas:audit", - "channel": "Application added or consent granted: Integration persisting after original user disabled" - }, - { - "name": "linux:syslog", - "channel": "Non-standard processes negotiating SSL/TLS key exchanges" - }, - { - "name": "esxi:vpxd", - "channel": "ESXi process initiating asymmetric handshake with external host" - }, - { - "name": "WinEventLog:Application", - "channel": "Unusual DLL/plugin registration for IIS/SQL/Apache or unexpected error logs" - }, - { - "name": "linux:syslog", - "channel": "Module registration or stacktrace logs indicating segmentation faults or unknown module errors" - }, - { - "name": "esxi:hostd", - "channel": "New extension/module install with unknown vendor ID" - }, { "name": "m365:unified", "channel": "FileUploaded or FileCopied events" }, - { - "name": "saas:salesforce", - "channel": "DataExport, RestAPI, Login, ReportExport" - }, - { - "name": "saas:hubspot", - "channel": "contact_viewed, contact_exported, login" - }, - { - "name": "saas:slack", - "channel": "conversations.history, files.list, users.info, audit_logs" - }, { "name": "m365:unified", "channel": "TeamsMessageAccess, TeamsExport, ExternalAppAccess" @@ -19769,24 +22020,368 @@ "channel": "FileAccessed" }, { - "name": "m365:messagetrace", - "channel": "X-MS-Exchange-Organization-AutoForwarded" + "name": "m365:unified", + "channel": "ApplicationModified, ConsentGranted: Unexpected app consent or modification events linked to security evasion" }, { - "name": "linux:syslog", - "channel": "Segfaults, kernel oops, or crashes in security software processes" + "name": "m365:unified", + "channel": "MailItemsAccessed; AddedInboxRule; ConsentToApplication; SharingSet" + }, + { + "name": "m365:unified", + "channel": "Set-AdminAuditLogConfig;New-ApplicationAccessPolicy;ConsentToApplication" + }, + { + "name": "macos:jamf", + "channel": "RemoteCommandExecution" + }, + { + "name": "macos:unifiedlog", + "channel": "Device attached|enumerated VID/PID" + }, + { + "name": "macos:unifiedlog", + "channel": "Inbound email activity with suspicious domains or mismatched sender information" + }, + { + "name": "macos:unifiedlog", + "channel": "App/web server logs ingested via unified logging or filebeat (nginx/apache/node)." + }, + { + "name": "macos:unifiedlog", + "channel": "Received messages with embedded or shortened URLs" + }, + { + "name": "macos:unifiedlog", + "channel": "Received messages containing embedded links or attachments from non-enterprise services" + }, + { + "name": "macos:unifiedlog", + "channel": "process 'crashed'|'EXC_BAD_ACCESS' for sshd, screensharingd, httpd; launchd restarts of these daemons." + }, + { + "name": "macos:unifiedlog", + "channel": "opendirectoryd crashes or abnormal authentication errors" + }, + { + "name": "macos:unifiedlog", + "channel": "Logs from unifiedlogging that show browser crashes, plugin enumerations, extension installs or errors around the same time as suspicious network fetches" + }, + { + "name": "macos:unifiedlog", + "channel": "log stream cleared or truncated" + }, + { + "name": "macos:unifiedlog", + "channel": "quarantine or AV-related subsystem" + }, + { + "name": "macos:unifiedlog", + "channel": "Repeated process crashes logged by CrashReporter or system instability logs in com.apple.console" + }, + { + "name": "macos:unifiedlog", + "channel": "Inbound messages with attachments from suspicious domains" + }, + { + "name": "macos:unifiedlog", + "channel": "Outgoing or incoming calls with non-standard caller IDs or unusual metadata" + }, + { + "name": "macos:unifiedlog", + "channel": "Mail.app or third-party clients sending messages with mismatched From headers" + }, + { + "name": "macos:unifiedlog", + "channel": "process crash, abort, code signing violations" + }, + { + "name": "macos:unifiedlog", + "channel": "Configuration profile modified or new profile installed" + }, + { + "name": "macos:unifiedlog", + "channel": "Crash log entries for a process receiving malformed input or known exploit patterns" + }, + { + "name": "macos:unifiedlog", + "channel": "Repetitive inbound email delivery activity logged within a short time window" + }, + { + "name": "macos:unifiedlog", + "channel": "Application errors or resource contention from excessive frontend or script invocation" + }, + { + "name": "macos:unifiedlog", + "channel": "SPF fail OR DKIM fail OR DMARC fail OR mismatched header vs envelope domains" + }, + { + "name": "macos:unifiedlog", + "channel": "new DHCP configuration with anomalous DNS or router values" + }, + { + "name": "macos:unifiedlog", + "channel": "Mail or AppleScript subsystem" + }, + { + "name": "macos:unifiedlog", + "channel": "opened document|clicked link|EXC_BAD_ACCESS|abort|LSQuarantine" + }, + { + "name": "macos:unifiedlog", + "channel": "Anomalous keychain access attempts targeting payment credentials" }, { "name": "macos:unifiedlog", "channel": "Abnormal terminations of com.apple.security.* or 3rd-party security daemons" }, { - "name": "AWS:CloudTrail", - "channel": "StopLogging, DeleteTrail, UpdateTrail: API calls that disable or modify logging services" + "name": "networkdevice:controlplane", + "channel": "Syslog from edge devices with HTTP 500s on mgmt portal, SmartInstall events, unexpected CLI commands" }, { - "name": "m365:unified", - "channel": "ApplicationModified, ConsentGranted: Unexpected app consent or modification events linked to security evasion" + "name": "networkdevice:syslog", + "channel": "config push events" + }, + { + "name": "networkdevice:syslog", + "channel": "SIP REGISTER, INVITE, or unusual call destination metadata" + }, + { + "name": "networkdevice:syslog", + "channel": "Failed authentication requests redirected to non-standard portals" + }, + { + "name": "NSM:Connections", + "channel": "PushNotificationSent" + }, + { + "name": "NSM:Connections", + "channel": "Failed password or accepted password for SSH users" + }, + { + "name": "saas:Airtable", + "channel": "EXPORT: User-triggered data export via GUI or API" + }, + { + "name": "saas:application", + "channel": "High-frequency invocation of SMS-related API endpoints from publicly accessible OTP or verification forms (e.g., Twilio: SendMessage, Cognito: AdminCreateUser) with irregular destination patterns." + }, + { + "name": "saas:application", + "channel": "High-volume API calls or traffic via messaging or webhook service" + }, + { + "name": "saas:audit", + "channel": "Rule/ConfigChange: Auto-forward rules, delegate assignments, or changes to financial approval workflows" + }, + { + "name": "saas:audit", + "channel": "Application added or consent granted: Integration persisting after original user disabled" + }, + { + "name": "saas:box", + "channel": "User navigated to admin interface" + }, + { + "name": "saas:collaboration", + "channel": "MessagePosted: Suspicious links or attachment delivery via collaboration tools (Slack, Teams, Zoom)" + }, + { + "name": "saas:confluence", + "channel": "access.content" + }, + { + "name": "saas:email", + "channel": "AuthenticationFailures (SPF/DKIM/DMARC) OR Domain Mismatch" + }, + { + "name": "saas:finance", + "channel": "Transaction/Transfer: Unusual or large transactions initiated outside business hours or by unusual accounts" + }, + { + "name": "saas:github", + "channel": "Bulk access to multiple files or large volume of repo requests within short time window" + }, + { + "name": "saas:gmail", + "channel": "SendEmail, OpenAttachment, ClickLink" + }, + { + "name": "saas:googledrive", + "channel": "FileOpen / FileAccess: Event-driven script triggering on user file actions" + }, + { + "name": "saas:googleworkspace", + "channel": "OAuth2 authorization grants / Admin role assignments" + }, + { + "name": "saas:hubspot", + "channel": "contact_viewed, contact_exported, login" + }, + { + "name": "saas:okta", + "channel": "Conditional Access policy rule modified or MFA requirement disabled" + }, + { + "name": "saas:okta", + "channel": "MFAChallengeIssued" + }, + { + "name": "saas:okta", + "channel": "WebUI access to administrator dashboard" + }, + { + "name": "saas:okta", + "channel": "Federation configuration update or signing certificate change" + }, + { + "name": "saas:okta", + "channel": "System API Call: user.read, group.read" + }, + { + "name": "saas:okta", + "channel": "policy.rule.update;system.log.disable;admin.role.assign" + }, + { + "name": "saas:openai", + "channel": "High volume of requests to /v1/chat/completions or /v1/images/generations" + }, + { + "name": "saas:salesforce", + "channel": "DataExport, RestAPI, Login, ReportExport" + }, + { + "name": "saas:slack", + "channel": "file_upload, message_send, message_click" + }, + { + "name": "saas:slack", + "channel": "chat.postMessage, files.upload, or discovery API calls involving token/credential regex" + }, + { + "name": "saas:slack", + "channel": "OAuth token use by unknown app client_id accessing private channels or files" + }, + { + "name": "saas:slack", + "channel": "conversations.history, files.list, users.info, audit_logs" + }, + { + "name": "saas:slack", + "channel": "xternal DM or workspace invite preceding credential or approval actions" + }, + { + "name": "saas:Snowflake", + "channel": "QUERY: Large or repeated SELECT * queries to sensitive tables" + }, + { + "name": "saas:teams", + "channel": "ChatMessageSent, ChatMessageEdited, LinkClick" + }, + { + "name": "saas:zoom", + "channel": "unusual web session tokens and automation patterns during login" + }, + { + "name": "saas:zoom", + "channel": "Unexpected contact interaction preceding follow-on admin requests" + }, + { + "name": "WinEventLog:Application", + "channel": "Outlook errors loading or processing custom form templates" + }, + { + "name": "WinEventLog:Application", + "channel": "Office Add-in load errors, abnormal loading context, or unsigned add-in warnings" + }, + { + "name": "WinEventLog:Application", + "channel": "Outlook rule execution failure or abnormal rule execution context" + }, + { + "name": "WinEventLog:Application", + "channel": "Exchange Transport Service loads unusual .NET assembly or errors upon transport agent execution" + }, + { + "name": "WinEventLog:Application", + "channel": "Unexpected spikes in request volume, application-level errors, or thread pool exhaustion in web or API logs" + }, + { + "name": "WinEventLog:Application", + "channel": "Browser or plugin/application logs showing script errors, plugin enumerations, or unusual extension load events" + }, + { + "name": "WinEventLog:Application", + "channel": "Outlook logs indicating failure to load or render HTML page in Home Page view" + }, + { + "name": "WinEventLog:Application", + "channel": "EventCode=1000" + }, + { + "name": "WinEventLog:Application", + "channel": "Service crash, unhandled exception, or application hang warnings for critical services (e.g., IIS, DNS, SQL Server)" + }, + { + "name": "WinEventLog:Application", + "channel": "SCCM, Intune logs" + }, + { + "name": "WinEventLog:Application", + "channel": "Unexpected web application errors or CMS logs showing modification to index.html, default.aspx, or other public-facing files" + }, + { + "name": "WinEventLog:Application", + "channel": "VPN, Citrix, or remote access gateway logs showing external IP addresses" + }, + { + "name": "WinEventLog:Application", + "channel": "Outlook rule creation, form load, or homepage redirection" + }, + { + "name": "WinEventLog:Application", + "channel": "High-frequency errors or hangs from resource-intensive application components (e.g., .NET, IIS, Office Suite)" + }, + { + "name": "WinEventLog:Application", + "channel": "Exchange logs or header artifacts" + }, + { + "name": "WinEventLog:Application", + "channel": "Unusual DLL/plugin registration for IIS/SQL/Apache or unexpected error logs" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=6416" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=1102" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=4663, 4670, 4656" + }, + { + "name": "WinEventLog:System", + "channel": "Changes to applicationhost.config or DLLs loaded by w3wp.exe" + }, + { + "name": "WinEventLog:System", + "channel": "Device started/installed (UMDF) GUIDs" + }, + { + "name": "WinEventLog:System", + "channel": "EventCode=1000" + }, + { + "name": "WinEventLog:System", + "channel": "EventCode=104" + }, + { + "name": "WinEventLog:System", + "channel": "EventCode=1341, 1342, 1020, 1063" } ] }, @@ -20287,14 +22882,14 @@ "external_references": [ { "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datacomponents/DC0078", + "url": "https://attack.mitre.org/data-components/DC0078", "external_id": "DC0078" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-09T17:32:30.362Z", "name": "Network Traffic Flow", "description": "Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -20304,7 +22899,7 @@ "mobile-attack", "enterprise-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { @@ -20926,6 +23521,22 @@ { "name": "esxi:vmkernel", "channel": "port 22 access" + }, + { + "name": "TelecomLogs:MobilityEvents", + "channel": "Unexpected location resolution events or abnormal subscriber tracking requests" + }, + { + "name": "TelecomLogs:MobilityEvents", + "channel": "Unexpected subscriber tracking or abnormal mobility/location resolution activity" + }, + { + "name": "NSM:Flow", + "channel": "Application-layer protocol traffic exhibiting beacon-like periodicity, anomalous session structure, or protocol misuse patterns" + }, + { + "name": "NSM:Flow", + "channel": "App-attributed traffic exhibits multi-destination fan-out, sustained session bridging, or SOCKS-like relay behavior inconsistent with normal client-only mobile communication" } ] }, @@ -20945,109 +23556,70 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-24T19:47:33.610Z", "name": "User Account Authentication", "description": "An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", - "enterprise-attack" + "enterprise-attack", + "mobile-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { - "name": "User Account", - "channel": "None" + "name": "auditd:AUTH", + "channel": "pam_unix or pam_google_authenticator invoked repeatedly within short interval" }, { - "name": "NSM:Flow", - "channel": "TGS-REQ and AS-REQ seen for new user shortly after domain-modifying process" + "name": "auditd:SYSCALL", + "channel": "pam_authenticate, sshd" }, { - "name": "WinEventLog:Security", - "channel": "EventCode=4625" + "name": "auditd:SYSCALL", + "channel": "execution of ssh, scp, or sftp using previously unseen credentials or keys" }, { - "name": "saas:okta", - "channel": "session.impersonation.start" - }, - { - "name": "Okta:SystemLog", - "channel": "eventType: user.authentication.sso, app.oauth2.token.grant" - }, - { - "name": "azure:signinlogs", - "channel": "Success logs from high-risk accounts" - }, - { - "name": "networkdevice:syslog", - "channel": "config access, authentication logs" - }, - { - "name": "ESXiLogs:authlog", - "channel": "Unexpected login followed by encoding commands" - }, - { - "name": "saas:okta", - "channel": "Unusual OAuth app requesting message-read scopes for Slack/Teams/Jira" - }, - { - "name": "NSM:Connections", - "channel": "Accepted password or publickey for user from remote IP" - }, - { - "name": "macos:unifiedlog", - "channel": "successful sudo or authentication for account not normally associated with admin actions" - }, - { - "name": "esxi:vpxa", - "channel": "user login from unexpected IP or non-admin user role" - }, - { - "name": "m365:signinlogs", - "channel": "Sign-in from anomalous location or impossible travel condition" - }, - { - "name": "networkdevice:syslog", - "channel": "User privilege escalation to level 15/root prior to destructive commands" - }, - { - "name": "networkdevice:syslog", - "channel": "authorization/accounting logs" - }, - { - "name": "WinEventLog:Security", - "channel": "EventCode=4769, 1200, 1202" - }, - { - "name": "linux:syslog", - "channel": "sudo/date/timedatectl execution by non-standard users" - }, - { - "name": "saas:audit", - "channel": "Repeated requests to SMS-generating endpoints using anomalous or new user agents, IP ranges, or geographies." - }, - { - "name": "azure:signinlogs", - "channel": "Multiple MFA challenge requests without successful primary login" + "name": "auditd:USER_LOGIN", + "channel": "USER_AUTH" }, { "name": "AWS:CloudTrail", "channel": "AssumeRole or ConsoleLogin with repeated MFA failures followed by repeated MFA requests" }, { - "name": "auditd:AUTH", - "channel": "pam_unix or pam_google_authenticator invoked repeatedly within short interval" + "name": "AWS:CloudTrail", + "channel": "sts:GetFederationToken" }, { - "name": "WinEventLog:Security", - "channel": "EventCode=4768, 4769, 4770" + "name": "AWS:CloudTrail", + "channel": "AssumeRoleWithWebIdentity" }, { - "name": "NSM:Connections", - "channel": "Repeated failed authentication attempts or replay patterns" + "name": "AWS:CloudTrail", + "channel": "AWS IAM: ListUsers, ListRoles" + }, + { + "name": "AWS:CloudTrail", + "channel": "eventName=ConsoleLogin | eventType=AwsConsoleSignIn" + }, + { + "name": "AWS:CloudTrail", + "channel": "ConsoleLogin or AssumeRole" + }, + { + "name": "AWS:CloudTrail", + "channel": "ConsoleLogin, AssumeRole, ListAccessKeys, CreateUser" + }, + { + "name": "azure:signinlogs", + "channel": "Success logs from high-risk accounts" + }, + { + "name": "azure:signinlogs", + "channel": "Multiple MFA challenge requests without successful primary login" }, { "name": "azure:signinlogs", @@ -21057,81 +23629,225 @@ "name": "azure:signinlogs", "channel": "SignIn: Sign-ins flagged as atypical (new geographic region, unfamiliar device id) shortly after correlated endpoint/browser compromise times" }, - { - "name": "AWS:CloudTrail", - "channel": "sts:GetFederationToken" - }, - { - "name": "m365:unified", - "channel": "Delegated permission grants without user login event" - }, - { - "name": "saas:salesforce", - "channel": "API login using access_token without login history" - }, - { - "name": "AWS:CloudTrail", - "channel": "AssumeRoleWithWebIdentity" - }, { "name": "azure:signinlogs", "channel": "Operation=UserLogin" }, - { - "name": "esxi:auth", - "channel": "interactive shell or SSH access preceding storage enumeration" - }, - { - "name": "NSM:Connections", - "channel": "Successful login without expected MFA challenge" - }, - { - "name": "macos:unifiedlog", - "channel": "Login success without MFA step" - }, - { - "name": "kubernetes:apiserver", - "channel": "get/list requests to /api/v1/secrets or /api/v1/namespaces/*/serviceaccounts" - }, - { - "name": "auditd:SYSCALL", - "channel": "pam_authenticate, sshd" - }, - { - "name": "macos:unifiedlog", - "channel": "log show --predicate 'eventMessage contains \"Authentication\"'" - }, - { - "name": "esxi:vpxd", - "channel": "/var/log/vmware/vpxd.log" - }, { "name": "azure:signinlogs", "channel": "Unusual Token Usage or Application Consent" }, - { - "name": "networkdevice:syslog", - "channel": "Failed and successful logins to network devices outside approved admin IP ranges" - }, { "name": "azure:signinlogs", "channel": "OperationName=SetDomainAuthentication OR Set-FederatedDomain" }, - { - "name": "network:auth", - "channel": "repeated successful authentications with previously unknown accounts or anomalous password acceptance" - }, { "name": "azure:signinlogs", "channel": "Sign-in with unfamiliar location/device + portal navigation" }, + { + "name": "azure:signinlogs", + "channel": "Login from newly created account" + }, + { + "name": "azure:signinlogs", + "channel": "Interactive/Non-Interactive Sign-In" + }, + { + "name": "azure:signinlogs", + "channel": "Reset password or download key from portal" + }, + { + "name": "azure:signinlogs", + "channel": "status = failure" + }, + { + "name": "azure:signinlogs", + "channel": "Sign-in logs" + }, + { + "name": "azure:signinlogs", + "channel": "SigninSuccess" + }, + { + "name": "azure:signinlogs", + "channel": "Failure Reason + UserPrincipalName" + }, + { + "name": "azure:signinlogs", + "channel": "Sign-in activity" + }, + { + "name": "azure:signinlogs", + "channel": "Sign-in logs / audit events" + }, + { + "name": "esxi:auth", + "channel": "interactive shell or SSH access preceding storage enumeration" + }, + { + "name": "esxi:auth", + "channel": "/var/log/auth.log" + }, + { + "name": "esxi:auth", + "channel": "SSH session/login" + }, + { + "name": "esxi:vpxa", + "channel": "user login from unexpected IP or non-admin user role" + }, + { + "name": "esxi:vpxd", + "channel": "/var/log/vmware/vpxd.log" + }, + { + "name": "ESXiLogs:authlog", + "channel": "Unexpected login followed by encoding commands" + }, + { + "name": "gcp:audit", + "channel": "drive.activity" + }, + { + "name": "gcp:audit", + "channel": "login.event" + }, + { + "name": "gcp:audit", + "channel": "Sign-in logs / audit events" + }, + { + "name": "gcp:workspaceaudit", + "channel": "Token Generation via Domain Delegation" + }, + { + "name": "GCPAuditLogs:login.googleapis.com", + "channel": "Failed sign-in events" + }, + { + "name": "kubernetes:apiserver", + "channel": "get/list requests to /api/v1/secrets or /api/v1/namespaces/*/serviceaccounts" + }, + { + "name": "kubernetes:apiserver", + "channel": "authentication.k8s.io/v1beta1" + }, + { + "name": "kubernetes:audit", + "channel": "Failed login" + }, + { + "name": "kubernetes:audit", + "channel": "authentication.k8s.io" + }, + { + "name": "linux:auth", + "channel": "sshd login" + }, + { + "name": "linux:syslog", + "channel": "sudo/date/timedatectl execution by non-standard users" + }, + { + "name": "linux:syslog", + "channel": "SSH failed login" + }, + { + "name": "linux:syslog", + "channel": "Failed password for invalid user" + }, + { + "name": "linux:syslog", + "channel": "sshd[pid]: Failed password" + }, + { + "name": "linux:syslog", + "channel": "authentication and authorization events during environmental validation phase" + }, + { + "name": "m365:exchange", + "channel": "Logon failure" + }, + { + "name": "m365:exchange", + "channel": "FailedLogin" + }, + { + "name": "m365:signinlogs", + "channel": "Sign-in from anomalous location or impossible travel condition" + }, { "name": "m365:signinlogs", "channel": "UserLoginSuccess" }, { - "name": "saas:salesforce", - "channel": "Login" + "name": "m365:signinlogs", + "channel": "Unusual sign-in from service principal to user mailbox" + }, + { + "name": "m365:unified", + "channel": "Delegated permission grants without user login event" + }, + { + "name": "m365:unified", + "channel": "login using refresh_token with no preceding authentication context" + }, + { + "name": "m365:unified", + "channel": "Sign-in logs" + }, + { + "name": "macos:unifiedlog", + "channel": "successful sudo or authentication for account not normally associated with admin actions" + }, + { + "name": "macos:unifiedlog", + "channel": "Login success without MFA step" + }, + { + "name": "macos:unifiedlog", + "channel": "log show --predicate 'eventMessage contains \"Authentication\"'" + }, + { + "name": "macos:unifiedlog", + "channel": "User credential prompt events without associated trusted installer package" + }, + { + "name": "macos:unifiedlog", + "channel": "Login failure / authorization denied" + }, + { + "name": "macos:unifiedlog", + "channel": "auth" + }, + { + "name": "macos:unifiedlog", + "channel": "Login Window and Authd errors" + }, + { + "name": "macos:unifiedlog", + "channel": "authd" + }, + { + "name": "network:auth", + "channel": "repeated successful authentications with previously unknown accounts or anomalous password acceptance" + }, + { + "name": "networkdevice:syslog", + "channel": "config access, authentication logs" + }, + { + "name": "networkdevice:syslog", + "channel": "User privilege escalation to level 15/root prior to destructive commands" + }, + { + "name": "networkdevice:syslog", + "channel": "authorization/accounting logs" + }, + { + "name": "networkdevice:syslog", + "channel": "Failed and successful logins to network devices outside approved admin IP ranges" }, { "name": "networkdevice:syslog", @@ -21145,166 +23861,74 @@ "name": "networkdevice:syslog", "channel": "Privileged login followed by destructive command sequence" }, - { - "name": "azure:signinlogs", - "channel": "Login from newly created account" - }, - { - "name": "auditd:SYSCALL", - "channel": "execution of ssh, scp, or sftp using previously unseen credentials or keys" - }, - { - "name": "m365:unified", - "channel": "login using refresh_token with no preceding authentication context" - }, - { - "name": "saas:googleworkspace", - "channel": "API access without user login" - }, - { - "name": "WinEventLog:Security", - "channel": "EventCode=4769" - }, - { - "name": "WinEventLog:Security", - "channel": "EventCode=4776, 4625" - }, - { - "name": "azure:signinlogs", - "channel": "Interactive/Non-Interactive Sign-In" - }, - { - "name": "AWS:CloudTrail", - "channel": "AWS IAM: ListUsers, ListRoles" - }, - { - "name": "gcp:workspaceaudit", - "channel": "Token Generation via Domain Delegation" - }, - { - "name": "m365:signinlogs", - "channel": "Unusual sign-in from service principal to user mailbox" - }, - { - "name": "macos:unifiedlog", - "channel": "User credential prompt events without associated trusted installer package" - }, - { - "name": "linux:auth", - "channel": "sshd login" - }, - { - "name": "saas:googleworkspace", - "channel": "Accessed third-party credential management service" - }, - { - "name": "azure:signinlogs", - "channel": "Reset password or download key from portal" - }, - { - "name": "linux:syslog", - "channel": "SSH failed login" - }, - { - "name": "macos:unifiedlog", - "channel": "Login failure / authorization denied" - }, - { - "name": "azure:signinlogs", - "channel": "status = failure" - }, - { - "name": "Okta:authn", - "channel": "authentication_failure" - }, - { - "name": "saas-app:auth", - "channel": "login_failure" - }, { "name": "networkdevice:syslog", "channel": "AAA, RADIUS, or TACACS authentication" }, - { - "name": "kubernetes:apiserver", - "channel": "authentication.k8s.io/v1beta1" - }, - { - "name": "m365:exchange", - "channel": "Logon failure" - }, - { - "name": "AWS:CloudTrail", - "channel": "eventName=ConsoleLogin | eventType=AwsConsoleSignIn" - }, - { - "name": "auditd:USER_LOGIN", - "channel": "USER_AUTH" - }, - { - "name": "azure:signinlogs", - "channel": "Sign-in logs" - }, - { - "name": "macos:unifiedlog", - "channel": "auth" - }, - { - "name": "m365:unified", - "channel": "Sign-in logs" - }, - { - "name": "AWS:CloudTrail", - "channel": "ConsoleLogin or AssumeRole" - }, - { - "name": "esxi:auth", - "channel": "/var/log/auth.log" - }, { "name": "networkdevice:syslog", "channel": "authentication logs" }, - { - "name": "azure:signinlogs", - "channel": "SigninSuccess" - }, - { - "name": "WinEventLog:Security", - "channel": "EventCode=4625, 4771, 4648" - }, - { - "name": "linux:syslog", - "channel": "Failed password for invalid user" - }, - { - "name": "macos:unifiedlog", - "channel": "Login Window and Authd errors" - }, - { - "name": "azure:signinlogs", - "channel": "Failure Reason + UserPrincipalName" - }, - { - "name": "saas:okta", - "channel": "authentication_failure" - }, { "name": "networkdevice:syslog", "channel": "AAA or TACACS authentication failures" }, { - "name": "kubernetes:audit", - "channel": "Failed login" + "name": "networkdevice:syslog", + "channel": "authentication & authorization" }, { - "name": "m365:exchange", - "channel": "FailedLogin" + "name": "networkdevice:syslog", + "channel": "login failed" + }, + { + "name": "NSM:Connections", + "channel": "Accepted password or publickey for user from remote IP" + }, + { + "name": "NSM:Connections", + "channel": "Repeated failed authentication attempts or replay patterns" + }, + { + "name": "NSM:Connections", + "channel": "Successful login without expected MFA challenge" + }, + { + "name": "NSM:Connections", + "channel": "sshd or PAM logins" + }, + { + "name": "NSM:Flow", + "channel": "TGS-REQ and AS-REQ seen for new user shortly after domain-modifying process" + }, + { + "name": "Okta:authn", + "channel": "authentication_failure" + }, + { + "name": "Okta:SystemLog", + "channel": "eventType: user.authentication.sso, app.oauth2.token.grant" + }, + { + "name": "saas-app:auth", + "channel": "login_failure" + }, + { + "name": "saas:audit", + "channel": "Repeated requests to SMS-generating endpoints using anomalous or new user agents, IP ranges, or geographies." }, { "name": "saas:auth", "channel": "signin_failed" }, + { + "name": "saas:googleworkspace", + "channel": "API access without user login" + }, + { + "name": "saas:googleworkspace", + "channel": "Accessed third-party credential management service" + }, { "name": "saas:googleworkspace", "channel": "login with reused session token and mismatched user agent or IP" @@ -21314,72 +23938,72 @@ "channel": "Access via OAuth credentials with unusual scopes or from anomalous IPs" }, { - "name": "networkdevice:syslog", - "channel": "authentication & authorization" + "name": "saas:MDM", + "channel": "Authentication events to device management or enterprise mobility management consoles" }, { - "name": "azure:signinlogs", - "channel": "Sign-in activity" + "name": "saas:MDM", + "channel": "Authentication events to Apple iCloud or enterprise device management services" }, { - "name": "AWS:CloudTrail", - "channel": "ConsoleLogin, AssumeRole, ListAccessKeys, CreateUser" + "name": "saas:okta", + "channel": "session.impersonation.start" }, { - "name": "gcp:audit", - "channel": "drive.activity" + "name": "saas:okta", + "channel": "Unusual OAuth app requesting message-read scopes for Slack/Teams/Jira" }, { - "name": "gcp:audit", - "channel": "login.event" - }, - { - "name": "linux:syslog", - "channel": "sshd[pid]: Failed password" - }, - { - "name": "macos:unifiedlog", - "channel": "authd" - }, - { - "name": "networkdevice:syslog", - "channel": "login failed" - }, - { - "name": "GCPAuditLogs:login.googleapis.com", - "channel": "Failed sign-in events" - }, - { - "name": "esxi:auth", - "channel": "SSH session/login" - }, - { - "name": "NSM:Connections", - "channel": "sshd or PAM logins" + "name": "saas:okta", + "channel": "authentication_failure" }, { "name": "saas:okta", "channel": "Sign-in logs / audit events" }, { - "name": "gcp:audit", - "channel": "Sign-in logs / audit events" + "name": "saas:okta", + "channel": "user.account.reset_password; user.mfa.factor.activate; app.oauth2.authorize" }, { - "name": "azure:signinlogs", - "channel": "Sign-in logs / audit events" + "name": "saas:salesforce", + "channel": "API login using access_token without login history" }, { - "name": "kubernetes:audit", - "channel": "authentication.k8s.io" + "name": "saas:salesforce", + "channel": "Login" + }, + { + "name": "User Account", + "channel": "None" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=4625" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=4769, 1200, 1202" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=4768, 4769, 4770" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=4769" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=4776, 4625" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=4625, 4771, 4648" }, { "name": "WinEventLog:Security", "channel": "EventCode=4648" - }, - { - "name": "linux:syslog", - "channel": "authentication and authorization events during environmental validation phase" } ] }, @@ -21531,23 +24155,24 @@ "external_references": [ { "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datacomponents/DC0016", + "url": "https://attack.mitre.org/data-components/DC0016", "external_id": "DC0016" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-01-29T17:21:27.873Z", "name": "Module Load", "description": "When a process or program dynamically attaches a shared library, module, or plugin into its memory space. This action is typically performed to extend the functionality of an application, access shared system resources, or interact with kernel-mode components.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", - "enterprise-attack" + "enterprise-attack", + "mobile-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { @@ -21705,6 +24330,30 @@ { "name": "etw:Microsoft-Windows-Kernel-ImageLoad", "channel": "provider: Unsigned/user-writable image loads into msbuild.exe" + }, + { + "name": "android:logcat", + "channel": "DexClassLoader/PathClassLoader load attempt from non-standard path or recently created file" + }, + { + "name": "android:logcat", + "channel": "Short burst of file I/O followed by JNI/dlopen of a newly created .so" + }, + { + "name": "iOS:unifiedlog", + "channel": "dyld: dlopen/dyld_cache load from non-standard app-writable path" + }, + { + "name": "android:logcat", + "channel": "DexClassLoader/PathClassLoader loading from app-writable path OR reflective defineClass on byte[] payload" + }, + { + "name": "iOS:unifiedlog", + "channel": "dlopen/image load from app-writable path (tmp, Caches) outside bundled resources" + }, + { + "name": "android:logcat", + "channel": "DexClassLoader|PathClassLoader load from app-writable path OR dlopen of a freshly created .so" } ] }, @@ -21717,17 +24366,16 @@ "external_references": [ { "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datacomponents/DC0063", + "url": "https://attack.mitre.org/data-components/DC0063", "external_id": "DC0063" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-03-13T23:12:09.029Z", "name": "Windows Registry Key Modification", "description": "Changes made to an existing registry key or its values. These modifications can include altering permissions, modifying stored data, or updating configuration settings.\n\n*Data Collection Measures:*\n\n- Windows Event Logs\n - Event ID 4657 - Registry Value Modified: Logs changes to registry values, including modifications to startup entries, security settings, or system configurations.\n- Sysmon (System Monitor) for Windows\n - Sysmon Event ID 13 - Registry Value Set: Captures changes to specific registry values.\n - Sysmon Event ID 14 - Registry Key & Value Renamed: Logs renaming of registry keys, which may indicate evasion attempts.\n- Endpoint Detection and Response (EDR) Solutions\n - Monitor registry modifications for suspicious behavior.", - "x_mitre_data_source_ref": "", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ @@ -21737,10 +24385,6 @@ "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ - { - "name": "Windows Registry", - "channel": "None" - }, { "name": "WinEventLog:Security", "channel": "EventCode=4657" @@ -21795,16 +24439,17 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-23T18:19:16.114Z", "name": "File Deletion", "description": "Refers to events where files are removed from a system or storage device. These events can indicate legitimate housekeeping activities or malicious actions such as attackers attempting to cover their tracks. Monitoring file deletions helps organizations identify unauthorized or suspicious activities.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", - "enterprise-attack" + "enterprise-attack", + "mobile-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { @@ -21894,6 +24539,18 @@ { "name": "auditd:CONFIG_CHANGE", "channel": "/etc/fstab, /etc/systemd/*" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application deletes, alters, renames, relocates, or suppresses local artifacts relevant to detection, including files, hidden media, compromise markers, or app-local evidence, before later continued execution or transfer" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application deletes package files, cleanup artifacts, or app-local state immediately before disappearance from installed inventory or runtime" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application deletes, truncates, or removes user, operational, or evidence-bearing files after prior access or staging and before later continued execution or communication" } ] }, @@ -21913,7 +24570,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-16T17:01:33.771Z", "name": "Process Metadata", "description": "Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -21923,7 +24580,7 @@ "mobile-attack", "enterprise-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { @@ -22101,6 +24758,10 @@ { "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational", "channel": "Unsigned or untrusted modules loaded during JamPlus.exe runtime" + }, + { + "name": "macos:unifiedlog", + "channel": "Crash or abnormal termination of security agent or system extension host" } ] }, @@ -22113,23 +24774,24 @@ "external_references": [ { "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datacomponents/DC0001", + "url": "https://attack.mitre.org/data-components/DC0001", "external_id": "DC0001" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-09T17:05:23.355Z", "name": "Scheduled Job Creation", "description": "The establishment of a task or job that will execute at a predefined time or based on specific triggers.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", - "enterprise-attack" + "enterprise-attack", + "mobile-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { @@ -22195,6 +24857,10 @@ { "name": "linux:cron", "channel": "Scheduled execution of unknown or unusual script/binary" + }, + { + "name": "MobiledEDR:telemetry", + "channel": "Scheduled task execution creates cache, staged payload, local output, or collected data artifact immediately after wake or job trigger" } ] }, @@ -23063,6 +25729,94 @@ }, { "type": "x-mitre-asset", + "spec_version": "2.1", + "id": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "created": "2023-09-28T14:55:39.339Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0007", + "external_id": "A0007" + }, + { + "source_name": "Guidance - NIST SP800-82", + "description": "Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T01:04:14.767Z", + "name": "Control Server", + "description": "Control servers are typically a software platform that runs on a modern server operating system (e.g., MS Windows Server). The server typically uses one or more automation protocols (e.g., Modbus, DNP3) to communicate with the various low-level control devices such as Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs). The control server also usually provides an interface/network service to connect with an HMI.", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Supervisory Control And Data Acquisition (SCADA) Server", + "related_asset_sectors": [ + "General", + "Electric", + "Water and Wastewater" + ], + "description": "A SCADA server is used to perform monitoring and control across a distributed environment. It typically has an associated HMI to provide information to a human operator and heavily depends on the human operator to initiate control actions." + }, + { + "name": "Master Terminal Unit (MTU)", + "related_asset_sectors": [ + "General" + ], + "description": "*A controller that also acts as a server that hosts the control software that communicates with lower-level control devices, such as remote terminal units (RTUs) and programmable logic controllers (PLCs), over an ICS network* (Citation: Guidance - NIST SP800-82)" + }, + { + "name": "Supervisory Controller", + "related_asset_sectors": [ + "General" + ], + "description": "*A controller that also acts as a server that hosts the control software that communicates with lower-level control devices, such as remote terminal units (RTUs) and programmable logic controllers (PLCs), over an ICS network* (Citation: Guidance - NIST SP800-82)" + }, + { + "name": "Distribution/Energy Management System (DMS/EMS)", + "related_asset_sectors": [ + "Electric" + ], + "description": "A DMS and EMS are electric sector-specific systems that are commonly used to manage distribution and transmission-level electrical grids. These systems typically integrate a SCADA server and HMI with domain-specific data analysis applications, such as state-estimation and contingency analysis (EMS), or voltage-var control or fault restoration (DMS). These systems also maintain visibility (and in some cases control) through a variety of integrated and distributed automation systems. " + }, + { + "name": "Building Management / Automation System (BMS / BAS)", + "related_asset_sectors": [ + "General" + ], + "description": "A controller (or set of controllers) that manages functionality for many common commercial / industrial buildings, such as heating, ventilation, and air conditioning (HVAC), lighting, elevators, etc." + }, + { + "name": "Manufacturing Execution System (MES)", + "related_asset_sectors": [ + "Manufacturing" + ], + "description": "A controller that oversees the performance, efficiency, life cycle, and resourcing for a manufacturing process within the ICS environment at a facility. A MES may interact with an Enterprise Resource Planning (ERP) system in the business environment to coordinate resourcing and job planning." + } + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Embedded", + "Linux", + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "2.1", + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "created": "2023-09-28T14:58:00.982Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -23077,7 +25831,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-22T15:13:16.424Z", + "modified": "2026-04-23T01:01:24.568Z", "name": "Application Server", "description": "Application servers are used across many different sectors to host various diverse software applications necessary to supporting the ICS. Example functions can include data analytics and reporting, alarm management, and the management/coordination of different control servers. The application server typically runs on a modern server operating system (e.g., MS Windows Server).", "x_mitre_sectors": [ @@ -23143,14 +25897,81 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Windows", - "Linux" + "Linux", + "Windows" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "x-mitre-asset", + "spec_version": "2.1", + "id": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "created": "2023-09-28T15:10:05.534Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0010", + "external_id": "A0010" + }, + { + "source_name": "Guidance - NIST SP800-82", + "description": "Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "SIGTTO ESD 2021", + "description": "Society of International Gas Tanker & Terminal Operators Ltd. (2021). ESD Systems: Recommendations for Emergency Shutdown and Related Safety Systems (Second Edition). Retrieved September 28, 2023.", + "url": "https://sigtto.org/media/3457/sigtto-2021-esd-systems.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-27T17:25:50.475Z", + "name": "Safety Controller", + "description": "Safety controllers are typically a type of field device used to perform the safety critical function. Safety controllers often support the deployment of custom programs/logic, similar to a PLC, but can also be tailored for sector specific functions/applications. The safety controllers typically utilize redundant hardware and processors to ensure they operate reliably if a component fails.", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Safety Instrumented System (SIS) controller", + "related_asset_sectors": [ + "General" + ], + "description": "SIS controllers are used to \u201ctake the process to a safe state when predetermined conditions are violated\u201d (Citation: Guidance - NIST SP800-82) through the reading of sensor data and interaction with digital/physical control surfaces. These devices are oftentimes located on programmable embedded devices running specialized RTOS or other embedded operating systems. " + }, + { + "name": "Emergency Shutdown Systems (ESD) controller", + "related_asset_sectors": [ + "General" + ], + "description": "Emergency Shutdown System controllers are used to read sensor values and interact with control surfaces to return the system \u201cto a safe static condition so that any remedial action can be taken\u201d. (Citation: SIGTTO ESD 2021)" + }, + { + "name": "Burner Management Systems (BMS) controller", + "related_asset_sectors": [ + "General" + ], + "description": "Burner Management System controllers are used to interact with sensors and control surfaces to maintain safe operating conditions for the burner. These can include safely starting-up and managing the main flame, controlling and monitoring the burning conditions, and safely initiating planned or unplanned shutdown sequences." + } + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0" }, { @@ -23167,6 +25988,7 @@ "x_mitre_deprecated": false, "x_mitre_version": "1.0", "type": "campaign", + "spec_version": "2.1", "id": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", "created": "2023-09-27T13:11:52.340Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -23187,14 +26009,11 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_domains": [ - "ics-attack", - "enterprise-attack" - ] + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "created": "2023-09-28T14:22:49.837Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -23214,7 +26033,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T19:58:23.607Z", + "modified": "2026-04-23T01:04:34.868Z", "name": "Workstation", "description": "Workstations are devices used by human operators or engineers to perform various configuration, programming, maintenance, diagnostic, or operational tasks. Workstations typically utilize standard desktop or laptop hardware and operating systems (e.g., MS Windows), but run dedicated control system applications or diagnostic/management software to support interfacing with the control servers or field devices. Some workstations have a fixed location within the network architecture, while others are transient devices that are directly connected to various field devices to support local management activities.", "x_mitre_sectors": [ @@ -23238,18 +26057,34 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Windows", - "Linux" + "Linux", + "Windows" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0" }, { - "modified": "2023-10-04T18:01:02.506Z", + "type": "x-mitre-asset", + "spec_version": "2.1", + "id": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "created": "2023-09-28T14:46:42.566Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0005", + "external_id": "A0005" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-27T16:47:33.077Z", "name": "Intelligent Electronic Device (IED)", "description": "An Intelligent Electronic Device (IED) is a type of specialized field device that is designed to perform specific operational functions, frequently for protection, monitoring, or control within the electric sector. IEDs are typically used to both acquire telemetry and execute tailored control algorithms/actions based on customizable parameters/settings. An IED is usually implemented as a dedicated embedded device and supports various network automation protocols to communicate with RTUs and Control Servers.", "x_mitre_sectors": [ @@ -23265,10 +26100,13 @@ }, { "name": "Field Device / Controller", - "related_asset_sectors": [], + "related_asset_sectors": [ + "General" + ], "description": "IEDs may be referred to as Field Controllers or Field Devices as a general function name. " } ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Embedded" ], @@ -23276,27 +26114,12 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "type": "x-mitre-asset", - "id": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", - "created": "2023-09-28T14:46:42.566Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/assets/A0005", - "external_id": "A0005" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", "created": "2023-09-29T18:55:09.319Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -23316,7 +26139,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T19:56:56.316Z", + "modified": "2026-04-27T17:45:55.901Z", "name": "Routers", "description": "A computer that is a gateway between two networks at OSI layer 3 and that relays and directs data packets through that inter-network. The most common form of router operates on IP packets.(Citation: IETF RFC4949 2007)", "x_mitre_sectors": [ @@ -23331,11 +26154,12 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0" }, { "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "created": "2023-09-28T15:01:48.509Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -23350,7 +26174,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T19:43:43.474Z", + "modified": "2026-04-27T17:47:40.077Z", "name": "Data Gateway", "description": "Data Gateway is a device that supports the communication and exchange of data between different systems, networks, or protocols within the ICS. Different types of data gateways are used to perform various functions, including:\n\n * Protocol Translation: Enable communication to devices that support different or incompatible protocols by translating information from one protocol to another. \n * Media Converter: Convert data across different Layer 1 and 2 network protocols / mediums, for example, converting from Serial to Ethernet. \n * Data Aggregation: Collect and combine data from different devices into one consistent format and protocol interface. \n* Data Mirroring: Create a real-time, exact copy of data streams from devices to a separate destination for redundancy, monitoring, or backup purposes.\n\nData gateways are often critical to the forwarding/transmission of critical control or monitoring data within the ICS. Further, these devices often have remote various network services that are used to communicate across different zones or networks. \n\nThese assets may focus on a single function listed below or combinations of these functions to best fit the industry use-case. \n", "x_mitre_sectors": [ @@ -23391,35 +26215,12 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0" }, { - "modified": "2023-10-04T17:59:11.489Z", - "name": "Human-Machine Interface (HMI)", - "description": "Human-Machine Interfaces (HMIs) are systems used by an operator to monitor the real-time status of an operational process and to perform necessary control functions, including the adjustment of device parameters. An HMI can take various forms, including a dedicated screen or control panel integrated with a specific device/controller, or a customizable software GUI application running on a standard operating system (e.g., MS Windows) that interfaces with a control/SCADA server. The HMI is critical to ensuring operators have sufficient visibility and control over the operational process.", - "x_mitre_sectors": [ - "General" - ], - "x_mitre_related_assets": [ - { - "name": "Operator Workstation (OWS)", - "related_asset_sectors": [ - "General" - ], - "description": "An Operator Workstation (OWS) or Console is a system or device used by an operator to interface with a control system, including to access/visualizes key information or parameters about the operational process and initiate control actions. This typically consists of specialized OWS software installed on a Workstation platform. (Citation: IEC February 2019)" - } - ], - "x_mitre_platforms": [ - "Windows", - "Linux" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "1.0", "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "created": "2023-09-28T14:38:54.407Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -23439,11 +26240,36 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "modified": "2026-04-23T00:58:37.171Z", + "name": "Human-Machine Interface (HMI)", + "description": "Human-Machine Interfaces (HMIs) are systems used by an operator to monitor the real-time status of an operational process and to perform necessary control functions, including the adjustment of device parameters. An HMI can take various forms, including a dedicated screen or control panel integrated with a specific device/controller, or a customizable software GUI application running on a standard operating system (e.g., MS Windows) that interfaces with a control/SCADA server. The HMI is critical to ensuring operators have sufficient visibility and control over the operational process.", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Operator Workstation (OWS)", + "related_asset_sectors": [ + "General" + ], + "description": "An Operator Workstation (OWS) or Console is a system or device used by an operator to interface with a control system, including to access/visualizes key information or parameters about the operational process and initiate control actions. This typically consists of specialized OWS software installed on a Workstation platform. (Citation: IEC February 2019)" + } + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--bb141168-ae41-4974-8ece-dc9b63e59237", "created": "2025-09-24T18:17:26.575Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -23458,7 +26284,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T19:34:14.912Z", + "modified": "2026-04-27T18:02:22.344Z", "name": "Firewall", "description": "A gateway that limits access between networks in accordance with local security policy.\n\nIn ICS networks, firewalls can exist in multiple locations in the network architecture and serve a variety of purposes. The first, and often the most important, is the firewall segmenting the ICS network from the business network. This firewall acts as the primary network boundary point that controls the ingress/egress of network traffic between the ICS and business networks. This firewall may also be a single device connected to multiple network segments, where the firewall defines individual zones for the different network segments and can control access to the zones and between the zones. This can limit the ability of an adversary to traverse a network.\n", "x_mitre_sectors": [ @@ -23474,38 +26300,76 @@ }, { "name": "Device Firewall", - "related_asset_sectors": [], "description": "A device firewall is used to control the flow of traffic between a network and an individual device. It is used when additional protections are required beyond that of a boundary firewall. For example, a boundary firewall may limit traffic on the network to two protocols, but, a device firewall may further limit traffic to a particular device on that network to a single protocol." } ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Network", "Embedded", "Windows", - "Linux" + "Linux", + "Network" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0" }, { - "modified": "2024-11-17T16:15:02.223Z", - "name": "Triton Safety Instrumented System Attack", - "description": "[Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030) was a campaign employed by [TEMP.Veles](https://attack.mitre.org/groups/G0088) which leveraged the [Triton](https://attack.mitre.org/software/S1009) malware framework against a petrochemical organization.(Citation: Triton-EENews-2017) The malware and techniques used within this campaign targeted specific Triconex [Safety Controller](https://attack.mitre.org/assets/A0010)s within the environment.(Citation: FireEye TRITON 2018) The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.(Citation: FireEye TRITON 2017)\n", - "aliases": [ - "Triton Safety Instrumented System Attack" + "type": "x-mitre-asset", + "spec_version": "2.1", + "id": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "created": "2025-09-24T22:53:09.627Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0017", + "external_id": "A0017" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T01:01:01.668Z", + "name": "Distributed Control System (DCS) Controller", + "description": "A Distributed Control System (DCS) Controller is a microprocessor unit that is used to manage automation processes. DCS Controllers are often found in plants (chemical, manufacturing, oil and gas, etc.) where large scale continuous automation processes are required. A DCS Controller typically operates as part of a larger networked system with other DCS Controllers where each DCS Controller manages an individual part of a continuous process. In addition to these other controllers, DCS Controllers operate along side multiple other system components including system software, operator stations, and other embedded field controllers. The distributed nature of DCS Controllers provides scalability, redundancy, and improved process reliability. DCS Controllers are programmed using traditional process automation programming languages (IEC-61131). ", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Field Device / Controller", + "related_asset_sectors": [ + "General" + ], + "description": "Distributed Control System (DCS) Controller may be referred to as Field Controllers or Field Devices as a general function name." + }, + { + "name": "Programmable Logic Controller (PLC)", + "related_asset_sectors": [ + "General" + ], + "description": "Programmable Logic Controllers (PLC) share some of the same functionality as DCS Controllers, although often without more advanced control features. " + } + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Embedded" ], - "first_seen": "2017-06-01T04:00:00.000Z", - "last_seen": "2017-08-01T04:00:00.000Z", - "x_mitre_first_seen_citation": "(Citation: Triton-EENews-2017)", - "x_mitre_last_seen_citation": "(Citation: Triton-EENews-2017)", "x_mitre_deprecated": false, - "x_mitre_version": "1.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" + }, + { "type": "campaign", + "spec_version": "2.1", "id": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf", "created": "2024-03-25T17:47:37.619Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -23535,15 +26399,24 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", + "modified": "2026-04-23T00:24:57.457Z", + "name": "Triton Safety Instrumented System Attack", + "description": "[Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030) was a campaign employed by [TEMP.Veles](https://attack.mitre.org/groups/G0088) which leveraged the [Triton](https://attack.mitre.org/software/S1009) malware framework against a petrochemical organization.(Citation: Triton-EENews-2017) The malware and techniques used within this campaign targeted specific Triconex [Safety Controller](https://attack.mitre.org/assets/A0010)s within the environment.(Citation: FireEye TRITON 2018) The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.(Citation: FireEye TRITON 2017)\n", + "aliases": [ + "Triton Safety Instrumented System Attack" + ], + "first_seen": "2017-06-01T04:00:00.000Z", + "last_seen": "2017-08-01T04:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: Triton-EENews-2017)", + "x_mitre_last_seen_citation": "(Citation: Triton-EENews-2017)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_domains": [ - "ics-attack", - "enterprise-attack" - ] + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--bb553fda-8355-40bc-87c6-5ae25124fa95", "created": "2025-09-24T17:53:28.482Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -23558,7 +26431,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T19:34:42.547Z", + "modified": "2026-04-27T18:01:55.383Z", "name": "Switch", "description": "A switch is a network device that connects endpoints (e.g., workstations, servers, HMIs, PLCs, etc.) so that they can communicate and share data and resources. Switches may operate at either Layer 2 or Layer 3 of the OSI Model and intelligently forward packets across the network based on the specified address (Media Access Control (MAC) address for Layer 2 and Internet Protocol (IP) address for Layer 3). Switches are typically used to define network segments and connect the devices within a particular level of the Purdue Model. ", "x_mitre_sectors": [ @@ -23603,14 +26476,14 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Network", - "Embedded" + "Embedded", + "Network" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0" }, { @@ -23635,6 +26508,7 @@ "Dragos Threat Intelligence" ], "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "created": "2017-05-31T21:32:05.217Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -23759,12 +26633,50 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "enterprise-attack", "ics-attack" + ] + }, + { + "type": "x-mitre-asset", + "spec_version": "2.1", + "id": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "created": "2023-09-28T14:44:54.756Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0004", + "external_id": "A0004" + } ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:58:18.239Z", + "name": "Remote Terminal Unit (RTU)", + "description": "A Remote Terminal Unit (RTU) is a device that typically resides between field devices (e.g., PLCs, IEDs) and control/SCADA servers and supports various communication interfacing and data aggregation functions. RTUs are typically responsible for forwarding commands from the control server and the collection of telemetry, events, and alerts from the field devices. An RTU can be implemented as a dedicated embedded device, as software platform that runs on a hardened/ruggedized computer, or using a custom application program on a PLC.", + "x_mitre_sectors": [ + "Electric", + "General", + "Water and Wastewater" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Embedded", + "Linux", + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" }, { "modified": "2024-08-14T15:24:19.141Z", @@ -23783,6 +26695,7 @@ "Mindaugas Gudzis, BT Security" ], "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -23834,91 +26747,16 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "enterprise-attack", "ics-attack" - ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { "type": "x-mitre-asset", - "id": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", - "created": "2025-09-24T22:53:09.627Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/assets/A0017", - "external_id": "A0017" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T16:17:35.766Z", - "name": "Distributed Control System (DCS) Controller", - "description": "A Distributed Control System (DCS) Controller is a microprocessor unit that is used to manage automation processes. DCS Controllers are often found in plants (chemical, manufacturing, oil and gas, etc.) where large scale continuous automation processes are required. A DCS Controller typically operates as part of a larger networked system with other DCS Controllers where each DCS Controller manages an individual part of a continuous process. In addition to these other controllers, DCS Controllers operate along side multiple other system components including system software, operator stations, and other embedded field controllers. The distributed nature of DCS Controllers provides scalability, redundancy, and improved process reliability. DCS Controllers are programmed using traditional process automation programming languages (IEC-61131). ", - "x_mitre_sectors": [ - "General" - ], - "x_mitre_related_assets": [ - { - "name": "Field Device / Controller", - "related_asset_sectors": [ - "General" - ], - "description": "Distributed Control System (DCS) Controller may be referred to as Field Controllers or Field Devices as a general function name." - }, - { - "name": "Programmable Logic Controller (PLC)", - "related_asset_sectors": [ - "General" - ], - "description": "Programmable Logic Controllers (PLC) share some of the same functionality as DCS Controllers, although often without more advanced control features. " - } - ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_platforms": [ - "Embedded" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0" - }, - { - "modified": "2023-10-04T19:26:49.788Z", - "name": "Field I/O", - "description": "Field I/O are devices that communicate with a controller or data aggregator to either send input data or receive output data. Input data may include readings about a given environment/device state from sensors, while output data may include data sent back to actuators for them to either undertake actions or change parameter values.(Citation: Guidance - NIST SP800-82) These devices are frequently embedded devices running on lightweight embedded operating systems or RTOSes. ", - "x_mitre_related_assets": [ - { - "name": "Smart Sensors", - "related_asset_sectors": [ - "General" - ], - "description": "*A device that procures a voltage or current output that is representative of some physical property being measured (e.g., speed, temperature, flow).* (Citation: Guidance - NIST SP800-82) Smart sensors take this functionality and add on on-device processing and network communication." - }, - { - "name": "Variable Frequency Drive (VFD)", - "related_asset_sectors": [ - "General" - ], - "description": "*A type of drive that controls the speed, but not the precise position, of a non-servo, AC motor by varying the frequency of the electricity going to that motor. VFDs are typically used for applications where speed and power are important, but precise positioning is not.* (Citation: Guidance - NIST SP800-82) VFDs can be network connected." - } - ], - "x_mitre_platforms": [ - "Embedded" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "1.0", - "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "created": "2023-09-28T17:57:22.946Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -23938,11 +26776,42 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "modified": "2026-04-27T16:50:21.228Z", + "name": "Field I/O", + "description": "Field I/O are devices that communicate with a controller or data aggregator to either send input data or receive output data. Input data may include readings about a given environment/device state from sensors, while output data may include data sent back to actuators for them to either undertake actions or change parameter values.(Citation: Guidance - NIST SP800-82) These devices are frequently embedded devices running on lightweight embedded operating systems or RTOSes. ", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Smart Sensors", + "related_asset_sectors": [ + "General" + ], + "description": "*A device that procures a voltage or current output that is representative of some physical property being measured (e.g., speed, temperature, flow).* (Citation: Guidance - NIST SP800-82) Smart sensors take this functionality and add on on-device processing and network communication." + }, + { + "name": "Variable Frequency Drive (VFD)", + "related_asset_sectors": [ + "General" + ], + "description": "*A type of drive that controls the speed, but not the precise position, of a non-servo, AC motor by varying the frequency of the electricity going to that motor. VFDs are typically used for applications where speed and power are important, but precise positioning is not.* (Citation: Guidance - NIST SP800-82) VFDs can be network connected." + } + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "created": "2023-09-28T14:48:36.305Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -23957,7 +26826,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T19:55:17.864Z", + "modified": "2026-04-23T01:03:57.506Z", "name": "Data Historian", "description": "Data historians, or historian, are systems used to collect and store data, including telemetry, events, alerts, and alarms about the operational process and supporting devices. The historian typically utilizes a database to store this data, and commonly provide tools and interfaces to support the analysis of the data. Data historians are often used to support various engineering or business analysis functions and therefore commonly needs access from the corporate network. Data historians often work in a hierarchical paradigm where lower/site level historians collect and store data which is then aggregated into a site/plant level historian. Therefore, data historians often have remote services that can be accessed externally from the ICS network. Many data historian vendors have designed their software to securely transfer data between the ICS and business networks instead of requiring business systems to access the data historian in the ICS network directly.", "x_mitre_sectors": [ @@ -23965,19 +26834,20 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Windows", + "Embedded", "Linux", - "Embedded" + "Windows" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0" }, { "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", "created": "2025-09-29T18:56:19.712Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -23992,9 +26862,12 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-03T17:46:10.281Z", + "modified": "2026-04-27T16:50:01.628Z", "name": "Programmable Automation Controller (PAC)", "description": "A Programmable Automation Controller (PAC) is an embedded programmable control device. PACs are designed to enable automation applications across integrated software applications, peer controllers (e.g., PLC), Human Machine Interfaces, and other systems. PACs often include advanced features for process control, motion control, drive control, and vision applications. PACs are programmed using traditional process automation programming languages (IEC-61131) and sometimes languages such as C and C++ to support more advanced controls.", + "x_mitre_sectors": [ + "General" + ], "x_mitre_related_assets": [ { "name": "Field Device / Controller", @@ -24019,130 +26892,106 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0" }, { - "modified": "2023-10-04T18:05:43.237Z", - "name": "Remote Terminal Unit (RTU)", - "description": "A Remote Terminal Unit (RTU) is a device that typically resides between field devices (e.g., PLCs, IEDs) and control/SCADA servers and supports various communication interfacing and data aggregation functions. RTUs are typically responsible for forwarding commands from the control server and the collection of telemetry, events, and alerts from the field devices. An RTU can be implemented as a dedicated embedded device, as software platform that runs on a hardened/ruggedized computer, or using a custom application program on a PLC.", + "type": "x-mitre-asset", + "spec_version": "2.1", + "id": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "created": "2023-09-28T15:13:07.950Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0011", + "external_id": "A0011" + }, + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:57:53.372Z", + "name": "Virtual Private Network (VPN) Server", + "description": "A VPN server is a device that is used to establish a secure network tunnel between itself and other remote VPN devices, including field VPNs. VPN servers can be used to establish a secure connection with a single remote device, or to securely bridge all traffic between two separate networks together by encapsulating all data between those networks. VPN servers typically support remote network services that are used by field VPNs to initiate the establishment of the secure VPN tunnel between the field device and server.", "x_mitre_sectors": [ - "Electric", - "Water and Wastewater", "General" ], + "x_mitre_related_assets": [ + { + "name": "Virtual Private Network (VPN) terminator", + "related_asset_sectors": [ + "General" + ], + "description": "A VPN terminator is a device performs the role of either a VPN client or server to support the establishment of VPN connection. (Citation: IEC February 2019)" + }, + { + "name": "Field VPN", + "related_asset_sectors": [ + "General" + ], + "description": "Field VPN are typically deployed at remote outstations and are used to create secure connections to VPN servers within data/control center environments. " + } + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Embedded", - "Windows", - "Linux" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "1.0", - "type": "x-mitre-asset", - "id": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", - "created": "2023-09-28T14:44:54.756Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/assets/A0004", - "external_id": "A0004" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "modified": "2023-10-16T18:49:08.504Z", - "name": "Safety Controller", - "description": "Safety controllers are typically a type of field device used to perform the safety critical function. Safety controllers often support the deployment of custom programs/logic, similar to a PLC, but can also be tailored for sector specific functions/applications. The safety controllers typically utilize redundant hardware and processors to ensure they operate reliably if a component fails.", - "x_mitre_related_assets": [ - { - "name": "Safety Instrumented System (SIS) controller", - "related_asset_sectors": [], - "description": "SIS controllers are used to \u201ctake the process to a safe state when predetermined conditions are violated\u201d (Citation: Guidance - NIST SP800-82) through the reading of sensor data and interaction with digital/physical control surfaces. These devices are oftentimes located on programmable embedded devices running specialized RTOS or other embedded operating systems. " - }, - { - "name": "Emergency Shutdown Systems (ESD) controller", - "related_asset_sectors": [], - "description": "Emergency Shutdown System controllers are used to read sensor values and interact with control surfaces to return the system \u201cto a safe static condition so that any remedial action can be taken\u201d. (Citation: SIGTTO ESD 2021)" - }, - { - "name": "Burner Management Systems (BMS) controller", - "related_asset_sectors": [], - "description": "Burner Management System controllers are used to interact with sensors and control surfaces to maintain safe operating conditions for the burner. These can include safely starting-up and managing the main flame, controlling and monitoring the burning conditions, and safely initiating planned or unplanned shutdown sequences." - } - ], - "x_mitre_platforms": [ - "Embedded" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "1.0", - "type": "x-mitre-asset", - "id": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", - "created": "2023-09-28T15:10:05.534Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/assets/A0010", - "external_id": "A0010" - }, - { - "source_name": "Guidance - NIST SP800-82", - "description": "Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - }, - { - "source_name": "SIGTTO ESD 2021", - "description": "Society of International Gas Tanker & Terminal Operators Ltd. (2021). ESD Systems: Recommendations for Emergency Shutdown and Related Safety Systems (Second Edition). Retrieved September 28, 2023.", - "url": "https://sigtto.org/media/3457/sigtto-2021-esd-systems.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "modified": "2023-10-04T18:03:06.811Z", - "name": "Jump Host", - "description": "Jump hosts are devices used to support remote management sessions into ICS networks or devices. The system is used to access the ICS environment securely from external networks, such as the corporate network. The user must first remote into the jump host before they can access ICS devices. The jump host may be a customized Windows server using common remote access protocols (e.g., RDP) or a dedicated access management device. The jump host typically performs various security functions to ensure the authenticity of remote sessions, including authentication, enforcing access controls/permissions, and auditing all access attempts. ", - "x_mitre_sectors": [ - "General" - ], - "x_mitre_related_assets": [ - { - "name": "Intermediate System", - "related_asset_sectors": [ - "Electric" - ], - "description": "A Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users.(Citation: North American Electric Reliability Corporation June 2021)" - } - ], - "x_mitre_platforms": [ - "Windows", "Linux", - "Embedded" + "Windows" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "campaign", + "spec_version": "2.1", + "id": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "created": "2023-03-10T20:01:08.133Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0020", + "external_id": "C0020" + }, + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T21:26:23.900Z", + "name": "Maroochy Water Breach", + "description": "[Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020) was an incident in 2000 where an adversary leveraged the local government\u2019s wastewater control system and stolen engineering equipment to disrupt and eventually release 800,000 liters of raw sewage into the local community.(Citation: Marshall Abrams July 2008)", + "aliases": [ + "Maroochy Water Breach" + ], + "first_seen": "2000-02-01T05:00:00.000Z", + "last_seen": "2000-04-01T05:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: Marshall Abrams July 2008)", + "x_mitre_last_seen_citation": "(Citation: Marshall Abrams July 2008)", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0" + }, + { "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "created": "2023-09-28T17:52:53.206Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -24162,39 +27011,37 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "modified": "2023-10-04T18:09:21.296Z", - "name": "Programmable Logic Controller (PLC)", - "description": "A Programmable Logic Controller (PLC) is an embedded programmable control device. PLCs typically utilize a modular architecture with separate modules used to support its processing capabilities, communication mediums, and I/O interfaces. PLCs allow for the deployment of customized programs/logic to control or monitor an operational process. This logic is defined using industry specific programming languages, such as IEC 61131 (Citation: IEC February 2013), which define the set of tasks and program organizational units (POUs) included in the device\u2019s programs. PLCs also typically have distinct operating modes (e.g., Remote, Run, Program, Stop) which are used to determine when the device can be programmed or whether it should execute the custom logic.", + "modified": "2026-04-23T00:58:05.830Z", + "name": "Jump Host", + "description": "Jump hosts are devices used to support remote management sessions into ICS networks or devices. The system is used to access the ICS environment securely from external networks, such as the corporate network. The user must first remote into the jump host before they can access ICS devices. The jump host may be a customized Windows server using common remote access protocols (e.g., RDP) or a dedicated access management device. The jump host typically performs various security functions to ensure the authenticity of remote sessions, including authentication, enforcing access controls/permissions, and auditing all access attempts. ", "x_mitre_sectors": [ "General" ], "x_mitre_related_assets": [ { - "name": "Process Automation Controller (PAC)", + "name": "Intermediate System", "related_asset_sectors": [ - "General" + "Electric" ], - "description": "Process Automation Controllers (PAC) share much of the same functionality as a PLC. PACs may include advanced features for process control, motion control, drive control, and vision applications. PACs may include additional features such as options to program in traditional programming languages such as C and C++ in addition to 61131 programming languages in order to support these more advanced controls. " - }, - { - "name": "Field Device / Controller", - "related_asset_sectors": [], - "description": "Programmable Logic Controller (PLC) may be referred to as Field Controllers or Field Devices as a general function name. " + "description": "A Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users.(Citation: North American Electric Reliability Corporation June 2021)" } ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Embedded" + "Embedded", + "Linux", + "Windows" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" + }, + { "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "created": "2023-09-28T14:43:05.105Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -24214,8 +27061,38 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "modified": "2026-04-27T16:47:46.663Z", + "name": "Programmable Logic Controller (PLC)", + "description": "A Programmable Logic Controller (PLC) is an embedded programmable control device. PLCs typically utilize a modular architecture with separate modules used to support its processing capabilities, communication mediums, and I/O interfaces. PLCs allow for the deployment of customized programs/logic to control or monitor an operational process. This logic is defined using industry specific programming languages, such as IEC 61131 (Citation: IEC February 2013), which define the set of tasks and program organizational units (POUs) included in the device\u2019s programs. PLCs also typically have distinct operating modes (e.g., Remote, Run, Program, Stop) which are used to determine when the device can be programmed or whether it should execute the custom logic.", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Process Automation Controller (PAC)", + "related_asset_sectors": [ + "General" + ], + "description": "Process Automation Controllers (PAC) share much of the same functionality as a PLC. PACs may include advanced features for process control, motion control, drive control, and vision applications. PACs may include additional features such as options to program in traditional programming languages such as C and C++ in addition to 61131 programming languages in order to support these more advanced controls. " + }, + { + "name": "Field Device / Controller", + "related_asset_sectors": [ + "General" + ], + "description": "Programmable Logic Controller (PLC) may be referred to as Field Controllers or Field Devices as a general function name. " + } + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" }, { "modified": "2024-04-11T16:06:34.700Z", @@ -24233,6 +27110,7 @@ "Dragos Threat Intelligence" ], "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -24288,101 +27166,16 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "ics-attack", "enterprise-attack" - ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "x-mitre-asset", - "id": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", - "created": "2023-09-28T14:55:39.339Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/assets/A0007", - "external_id": "A0007" - }, - { - "source_name": "Guidance - NIST SP800-82", - "description": "Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T19:58:01.290Z", - "name": "Control Server", - "description": "Control servers are typically a software platform that runs on a modern server operating system (e.g., MS Windows Server). The server typically uses one or more automation protocols (e.g., Modbus, DNP3) to communicate with the various low-level control devices such as Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs). The control server also usually provides an interface/network service to connect with an HMI.", - "x_mitre_sectors": [ - "General" - ], - "x_mitre_related_assets": [ - { - "name": "Supervisory Control And Data Acquisition (SCADA) Server", - "related_asset_sectors": [ - "General", - "Electric", - "Water and Wastewater" - ], - "description": "A SCADA server is used to perform monitoring and control across a distributed environment. It typically has an associated HMI to provide information to a human operator and heavily depends on the human operator to initiate control actions." - }, - { - "name": "Master Terminal Unit (MTU)", - "related_asset_sectors": [ - "General" - ], - "description": "*A controller that also acts as a server that hosts the control software that communicates with lower-level control devices, such as remote terminal units (RTUs) and programmable logic controllers (PLCs), over an ICS network* (Citation: Guidance - NIST SP800-82)" - }, - { - "name": "Supervisory Controller", - "related_asset_sectors": [ - "General" - ], - "description": "*A controller that also acts as a server that hosts the control software that communicates with lower-level control devices, such as remote terminal units (RTUs) and programmable logic controllers (PLCs), over an ICS network* (Citation: Guidance - NIST SP800-82)" - }, - { - "name": "Distribution/Energy Management System (DMS/EMS)", - "related_asset_sectors": [ - "Electric" - ], - "description": "A DMS and EMS are electric sector-specific systems that are commonly used to manage distribution and transmission-level electrical grids. These systems typically integrate a SCADA server and HMI with domain-specific data analysis applications, such as state-estimation and contingency analysis (EMS), or voltage-var control or fault restoration (DMS). These systems also maintain visibility (and in some cases control) through a variety of integrated and distributed automation systems. " - }, - { - "name": "Building Management / Automation System (BMS / BAS)", - "related_asset_sectors": [ - "General" - ], - "description": "A controller (or set of controllers) that manages functionality for many common commercial / industrial buildings, such as heating, ventilation, and air conditioning (HVAC), lighting, elevators, etc." - }, - { - "name": "Manufacturing Execution System (MES)", - "related_asset_sectors": [ - "Manufacturing" - ], - "description": "A controller that oversees the performance, efficiency, life cycle, and resourcing for a manufacturing process within the ICS environment at a facility. A MES may interact with an Enterprise Resource Planning (ERP) system in the business environment to coordinate resourcing and job planning." - } - ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_platforms": [ - "Windows", - "Linux", - "Embedded" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "2.0", - "x_mitre_attack_spec_version": "3.3.0" + ] }, { "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", "created": "2017-05-31T21:31:57.307Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -24411,70 +27204,14 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Dragos Threat Intelligence" - ] - }, - { - "modified": "2023-10-04T18:07:59.333Z", - "name": "Virtual Private Network (VPN) Server", - "description": "A VPN server is a device that is used to establish a secure network tunnel between itself and other remote VPN devices, including field VPNs. VPN servers can be used to establish a secure connection with a single remote device, or to securely bridge all traffic between two separate networks together by encapsulating all data between those networks. VPN servers typically support remote network services that are used by field VPNs to initiate the establishment of the secure VPN tunnel between the field device and server.", - "x_mitre_sectors": [ - "General" ], - "x_mitre_related_assets": [ - { - "name": "Virtual Private Network (VPN) terminator", - "related_asset_sectors": [ - "General" - ], - "description": "A VPN terminator is a device performs the role of either a VPN client or server to support the establishment of VPN connection. (Citation: IEC February 2019)" - }, - { - "name": "Field VPN", - "related_asset_sectors": [ - "General" - ], - "description": "Field VPN are typically deployed at remote outstations and are used to create secure connections to VPN servers within data/control center environments. " - } - ], - "x_mitre_platforms": [ - "Windows", - "Linux", - "Embedded" - ], - "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" - ], - "x_mitre_version": "1.0", - "type": "x-mitre-asset", - "id": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", - "created": "2023-09-28T15:13:07.950Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/assets/A0011", - "external_id": "A0011" - }, - { - "source_name": "IEC February 2019", - "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", - "url": "https://webstore.iec.ch/publication/34421" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { "modified": "2024-12-04T21:17:08.593Z", @@ -24500,6 +27237,7 @@ "Hakan KARABACAK" ], "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "created": "2017-05-31T21:32:04.588Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -24633,13 +27371,13 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "enterprise-attack", "ics-attack", "mobile-attack" - ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { "modified": "2025-03-05T22:12:26.131Z", @@ -24655,6 +27393,7 @@ "x_mitre_deprecated": false, "x_mitre_version": "1.0", "type": "campaign", + "spec_version": "2.1", "id": "campaign--1169ff24-b35f-4d8d-8cf3-643a2834227f", "created": "2024-11-20T23:15:36.728Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -24680,14 +27419,11 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_domains": [ - "ics-attack", - "enterprise-attack" - ] + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "campaign", + "spec_version": "2.1", "id": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", "created": "2023-03-31T17:22:23.567Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -24725,49 +27461,62 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" - ] + "x_mitre_attack_spec_version": "3.2.0" }, { "type": "campaign", - "id": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", - "created": "2023-03-10T20:01:08.133Z", + "spec_version": "2.1", + "id": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "created": "2026-04-22T19:33:22.532Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", - "url": "https://attack.mitre.org/campaigns/C0020", - "external_id": "C0020" + "url": "https://attack.mitre.org/campaigns/C0063", + "external_id": "C0063" }, { - "source_name": "Marshall Abrams July 2008", - "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", - "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + }, + { + "source_name": "ESET DynoWiper Update JAN 2026", + "description": "ESET. (2026, January 30). DynoWiper update: Technical analysis and attribution. Retrieved April 22, 2026.", + "url": "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/" + }, + { + "source_name": "ESET DynoWiper JAN 2026", + "description": "ESET. (2026, January 30). Russian Sandworm group attacks energy company in Poland with DynoWiper, ESET Research discovers. Retrieved April 22, 2026.", + "url": "https://www.eset.com/us/about/newsroom/research/eset-research-russian-sandwormapt-attacks-energy-company-poland-with-dynowiper/" + }, + { + "source_name": "Dragos ELECTRUM JAN 2026", + "description": "https://5943619.hs-sites.com/hubfs/Reports/dragos-2025-poland-attack-report.pdf. (2026, January). ELECTRUM: CYBER ATTACK ON POLAND\u2019S ELECTRIC SYSTEM 2025. Retrieved April 22, 2026.", + "url": "https://5943619.hs-sites.com/hubfs/Reports/dragos-2025-poland-attack-report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:23.900Z", - "name": "Maroochy Water Breach", - "description": "[Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020) was an incident in 2000 where an adversary leveraged the local government\u2019s wastewater control system and stolen engineering equipment to disrupt and eventually release 800,000 liters of raw sewage into the local community.(Citation: Marshall Abrams July 2008)", + "modified": "2026-04-23T23:21:30.984Z", + "name": "2025 Poland Wiper Attacks", + "description": "[2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063) is a Russian state-sponsored campaign that conducted destructive cyberattacks against Polish energy infrastructure in December 2025. Targets included more than 30 wind and photovoltaic farms, a combined heat and power (CHP) plant, and a manufacturing sector company. The attacks on the distributed energy resources (DER) disrupted communications between affected facilities and the distribution system operator, but did not impact electricity generation or heat supply. Across the campaign, threat actors deployed two previously undocumented wiper tools, [DynoWiper](https://attack.mitre.org/software/S9038), a Windows-based wiper and [LazyWiper](https://attack.mitre.org/software/S9039), a PowerShell wiper, distributed via malicious Group Policy Objects. At the CHP plant, threat actors had maintained access since at least March 2025, using that foothold to obtain credentials and move laterally before attempting wiper deployment. Some reporting has assessed the activity to be consistent with Russian Federal Security Service (FSB) threat activity group [Dragonfly](https://attack.mitre.org/groups/G0035), also tracked as STATIC TUNDRA, while other reporting attributes the destructive wiper activities to the Russian General Staff Main Intelligence Directorate (GRU) threat activity group ELECTRUM, also tracked as [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: CERT Polska)(Citation: Dragos ELECTRUM JAN 2026)(Citation: ESET DynoWiper JAN 2026)(Citation: ESET DynoWiper Update JAN 2026)", "aliases": [ - "Maroochy Water Breach" + "2025 Poland Wiper Attacks", + "2025 Poland Wiper Campaign" ], - "first_seen": "2000-02-01T05:00:00.000Z", - "last_seen": "2000-04-01T05:00:00.000Z", - "x_mitre_first_seen_citation": "(Citation: Marshall Abrams July 2008)", - "x_mitre_last_seen_citation": "(Citation: Marshall Abrams July 2008)", + "first_seen": "2025-03-01T05:00:00.000Z", + "last_seen": "2025-12-01T05:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: CERT Polska)(Citation: Dragos ELECTRUM JAN 2026)", + "x_mitre_last_seen_citation": "(Citation: CERT Polska)(Citation: Dragos ELECTRUM JAN 2026)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_domains": [ - "ics-attack" + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_contributors": [ + "Dragos Threat Intelligence" ] }, { @@ -24784,6 +27533,7 @@ "x_mitre_deprecated": false, "x_mitre_version": "1.0", "type": "campaign", + "spec_version": "2.1", "id": "campaign--8fda050f-470d-4401-994e-35c1a6c301de", "created": "2024-03-25T19:58:53.090Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -24814,13 +27564,11 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_domains": [ - "ics-attack" - ] + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -24901,6 +27649,7 @@ }, { "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "created": "2017-05-31T21:32:03.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -25029,6 +27778,7 @@ }, { "type": "campaign", + "spec_version": "2.1", "id": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", "created": "2022-09-20T20:53:14.373Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -25071,10 +27821,7 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": true, "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_domains": [ - "ics-attack" - ] + "x_mitre_attack_spec_version": "3.2.0" }, { "modified": "2025-01-16T18:55:49.463Z", @@ -25103,6 +27850,7 @@ "Jaesang Oh, KC7 Foundation" ], "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -25245,12 +27993,12 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "enterprise-attack", "ics-attack" - ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { "modified": "2024-04-10T16:02:48.078Z", @@ -25266,6 +28014,7 @@ "x_mitre_deprecated": false, "x_mitre_version": "1.0", "type": "campaign", + "spec_version": "2.1", "id": "campaign--df8eb785-70f8-4300-b444-277ba849083d", "created": "2024-03-27T19:43:25.703Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -25291,14 +28040,11 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" - ] + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", "created": "2017-05-31T21:32:09.460Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -25428,27 +28174,8 @@ ] }, { - "modified": "2025-03-12T20:33:21.597Z", - "name": "Wizard Spider", - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)", - "aliases": [ - "Wizard Spider", - "UNC1878", - "TEMP.MixMaster", - "Grim Spider", - "FIN12", - "GOLD BLACKBURN", - "ITG23", - "Periwinkle Tempest", - "DEV-0193" - ], - "x_mitre_deprecated": false, - "x_mitre_version": "4.0", - "x_mitre_contributors": [ - "Edward Millington", - "Oleksiy Gayda" - ], "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", "created": "2020-05-12T18:15:29.396Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -25487,6 +28214,14 @@ "source_name": "DEV-0193", "description": "(Citation: Microsoft Threat Actor Naming July 2023)" }, + { + "source_name": "Pistachio Tempest", + "description": "(Citation: Microsoft_PistachioTempest_Jan2024)" + }, + { + "source_name": "DEV-0237", + "description": "(Citation: Microsoft_PistachioTempest_Jan2024)" + }, { "source_name": "GOLD BLACKBURN", "description": "(Citation: Secureworks Gold Blackburn Mar 2022)" @@ -25521,6 +28256,11 @@ "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" }, + { + "source_name": "Microsoft_PistachioTempest_Jan2024", + "description": "Microsoft. (2024, January 25). Financially Motivated Threat Actor Pistachio Tempest. Retrieved December 15, 2025.", + "url": "https://www.microsoft.com/en-us/security/security-insider/threat-landscape/pistachio-tempest" + }, { "source_name": "CrowdStrike Wizard Spider October 2020", "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.", @@ -25534,7 +28274,7 @@ { "source_name": "Mandiant FIN12 Oct 2021", "description": "Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.", - "url": "https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" + "url": "https://web.archive.org/web/20220313061955/https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" }, { "source_name": "IBM X-Force ITG23 Oct 2021", @@ -25545,12 +28285,34 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-01-20T16:26:04.859Z", + "name": "Wizard Spider", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)", + "aliases": [ + "Wizard Spider", + "UNC1878", + "TEMP.MixMaster", + "Grim Spider", + "FIN12", + "GOLD BLACKBURN", + "ITG23", + "Periwinkle Tempest", + "DEV-0193", + "Pistachio Tempest", + "DEV-0237" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "4.1", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_contributors": [ + "Edward Millington", + "Oleksiy Gayda" + ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" - ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { "modified": "2024-04-17T16:13:43.697Z", @@ -25566,6 +28328,7 @@ "Dragos Threat Intelligence" ], "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", "created": "2019-04-16T15:14:38.533Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -25613,12 +28376,12 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "enterprise-attack", "ics-attack" - ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { "modified": "2024-11-17T14:59:25.749Z", @@ -25639,6 +28402,7 @@ "Drew Church, Splunk" ], "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "created": "2017-05-31T21:32:06.015Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -25707,15 +28471,16 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "enterprise-attack", "ics-attack" - ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133", "created": "2020-09-22T19:41:27.845Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -25763,37 +28528,19 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" - ], "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Thijn Bukkems, Amazon" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" ] }, { - "modified": "2025-01-22T21:54:11.727Z", - "name": "APT38", - "description": "[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks against Bancomext (Citation: FireEye APT38 Oct 2018) and Banco de Chile (Citation: FireEye APT38 Oct 2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.", - "aliases": [ - "APT38", - "NICKEL GLADSTONE", - "BeagleBoyz", - "Bluenoroff", - "Stardust Chollima", - "Sapphire Sleet", - "COPERNICIUM" - ], - "x_mitre_deprecated": false, - "x_mitre_version": "3.1", - "x_mitre_contributors": [ - "Hiroki Nagahama, NEC Corporation", - "Manikantan Srinivasan, NEC Corporation India", - "Pooja Natarajan, NEC Corporation India" - ], "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340", "created": "2019-01-29T21:27:24.793Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -25850,7 +28597,7 @@ { "source_name": "FireEye APT38 Oct 2018", "description": "FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024.", - "url": "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf" + "url": "https://services.google.com/fh/files/misc/apt38-un-usual-suspects.pdf" }, { "source_name": "Kaspersky Lazarus Under The Hood Blog 2017", @@ -25876,15 +28623,65 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-11-13T19:21:05.133Z", + "name": "APT38", + "description": "[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks against Bancomext (Citation: FireEye APT38 Oct 2018) and Banco de Chile (Citation: FireEye APT38 Oct 2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.", + "aliases": [ + "APT38", + "NICKEL GLADSTONE", + "BeagleBoyz", + "Bluenoroff", + "Stardust Chollima", + "Sapphire Sleet", + "COPERNICIUM" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "3.1", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_contributors": [ + "Hiroki Nagahama, NEC Corporation", + "Manikantan Srinivasan, NEC Corporation India", + "Pooja Natarajan, NEC Corporation India" + ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" - ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--6f318bab-df4a-4a51-b849-e9c2ab2f9c4c", + "created": "2026-04-22T15:09:30.933Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0903", + "external_id": "DET0903" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:28:00.436Z", + "name": "Detection of Block Operational Technology Message", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--c556c91d-64a0-401c-9c41-18971eeca0f2" + ], + "x_mitre_domains": [ + "ics-attack" + ] + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--0f2e4927-401d-430e-96ed-90feb8df1b03", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -25913,6 +28710,36 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--b04e83cc-8ace-4880-8953-7ce55eb8c427", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0756", + "external_id": "DET0756" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Default Credentials", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--f12aa823-91cc-40e1-93b7-eaa5f5fa9c4d" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--a366d027-d797-4957-949a-870aed0766dd", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -25941,6 +28768,37 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--2e99cd65-aad4-4796-9013-79837d498eb6", + "created": "2026-04-23T00:09:43.016Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0913", + "external_id": "DET0913" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:31:14.045Z", + "name": "Detection of Program Download All", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--e379be82-39d7-4ae4-8557-f846ba19cd4b" + ], + "x_mitre_domains": [ + "ics-attack" + ] + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--edf989d8-7e25-4ed2-b289-a55dee68a75e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -25969,6 +28827,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--cb273244-c117-4e32-afc7-f72f4e44e179", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -25997,566 +28856,7 @@ }, { "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--2a1619a7-dd27-48e4-b56f-806cb3d2e405", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0784", - "external_id": "DET0784" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Block Command Message", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--11a350cf-1ea0-4065-877b-c3bb410bf3a0" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--709e05b2-6400-43a2-9bbf-b64f6017b023", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0752", - "external_id": "DET0752" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Program Download", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--b74100d1-0085-468a-834a-2bf10924a3b7" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--ec442b22-3dc8-4b2b-8294-b76b0f01d748", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0739", - "external_id": "DET0739" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Remote System Discovery", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--322ac45b-d540-4d2a-84a1-cde200238b95" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--b817139c-2941-4523-bfb5-10c36d230871", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0781", - "external_id": "DET0781" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Spearphishing Attachment", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--5610211c-1458-4333-8640-384189d9318e" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--7f32731d-7800-483c-b077-c4a187a27ae5", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0726", - "external_id": "DET0726" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Wireless Compromise", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--2388dc31-ba9a-4c12-b4b9-28bbc981c73e" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--37b4971d-2eb8-4f87-899c-19acaf0394bb", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0778", - "external_id": "DET0778" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Loss of Control", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--cbf791b4-5186-4205-ac5a-a56042aaebec" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--732d2487-3241-4866-8bb5-044bb4acdd3b", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0799", - "external_id": "DET0799" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Standard Application Layer Protocol", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--d271c7fc-d76a-4fb0-a645-5db2c1223a32" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--eabde43f-1872-499d-9642-85a6959c4d28", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0791", - "external_id": "DET0791" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of User Execution", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--d937e4b8-20f2-44c1-9940-48c74318c715" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--33dd1c37-1702-4de2-9712-fcc640e4b681", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0736", - "external_id": "DET0736" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Commonly Used Port", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--981b659b-992a-4d71-9404-0e1b2b598e50" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--04bcf663-e6cd-42bf-8864-f4d1ad345263", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0780", - "external_id": "DET0780" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Rootkit", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--ec695157-8c3c-439b-9925-459c9d4172f0" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--ae24274b-0e20-451e-a883-6eeb0e8e7d00", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0747", - "external_id": "DET0747" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Manipulation of Control", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--383a1a1c-8ecf-4909-9237-14a1f4fc4179" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--3e884c49-75ca-449e-83cb-3517ee88e0f1", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0751", - "external_id": "DET0751" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Screen Capture", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--66070162-d51e-46e7-8d32-2140fd5e7086" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--08c090e3-c56f-4a8b-80f6-307a1daf46ea", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0723", - "external_id": "DET0723" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Denial of Service", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--cff25f71-859e-48bf-88d6-852d05e22b33" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--47c6f72c-1f2f-4ea8-94d0-08202b7d5bdb", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0785", - "external_id": "DET0785" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Manipulation of View", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--d71e98fa-64d1-4ddb-acb1-bba1e4af6a73" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--ffeac6e1-798f-41b1-8baf-2650d2ebe031", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0724", - "external_id": "DET0724" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Valid Accounts", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--ddfcd948-3526-4241-a12f-d7bf63468e40" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--336b9423-5543-4354-bd00-13c614ccdc96", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0771", - "external_id": "DET0771" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Change Credential", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--d3023733-5874-4746-a947-65925514e382" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--4ea060f9-f6fc-4122-9544-70afd567ea10", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0797", - "external_id": "DET0797" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Block Serial COM", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--354b93da-06e9-4634-a5fd-7f9b7b3a9d5a" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--c94af5cb-61c3-4180-81e7-30c1669f4252", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0774", - "external_id": "DET0774" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of I/O Image", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--c40ddd75-f2fc-4899-bda1-bff164c96622" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--ad675d25-2829-48e5-8475-28f1ed5d813a", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0773", - "external_id": "DET0773" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Manipulate I/O Image", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--7841eb6b-8a05-4754-b738-a475bfbb89fb" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--b6a6d95c-e3b5-438d-a095-3fb0859c8f45", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0764", - "external_id": "DET0764" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Adversary-in-the-Middle", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--afc9e394-147e-49db-81df-953d2d3ea93e" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--05f7d4e4-ae99-4339-b71a-59f1e317dc6d", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -26585,6 +28885,677 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--e90f1c0c-f2c5-4fe1-942f-411574df043f", + "created": "2026-04-23T00:32:34.211Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0914", + "external_id": "DET0914" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:31:02.396Z", + "name": "Detection of Program Append", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--3c6aa6f7-29e9-41d9-8500-30b6d0533d64" + ], + "x_mitre_domains": [ + "ics-attack" + ] + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--2a1619a7-dd27-48e4-b56f-806cb3d2e405", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0784", + "external_id": "DET0784" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Block Command Message", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--11a350cf-1ea0-4065-877b-c3bb410bf3a0" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--709e05b2-6400-43a2-9bbf-b64f6017b023", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0752", + "external_id": "DET0752" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Program Download", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--b74100d1-0085-468a-834a-2bf10924a3b7" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--ec442b22-3dc8-4b2b-8294-b76b0f01d748", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0739", + "external_id": "DET0739" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Remote System Discovery", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--322ac45b-d540-4d2a-84a1-cde200238b95" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--b817139c-2941-4523-bfb5-10c36d230871", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0781", + "external_id": "DET0781" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Spearphishing Attachment", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--5610211c-1458-4333-8640-384189d9318e" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--7f32731d-7800-483c-b077-c4a187a27ae5", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0726", + "external_id": "DET0726" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Wireless Compromise", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--2388dc31-ba9a-4c12-b4b9-28bbc981c73e" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--37b4971d-2eb8-4f87-899c-19acaf0394bb", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0778", + "external_id": "DET0778" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Loss of Control", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--cbf791b4-5186-4205-ac5a-a56042aaebec" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--732d2487-3241-4866-8bb5-044bb4acdd3b", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0799", + "external_id": "DET0799" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Standard Application Layer Protocol", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--d271c7fc-d76a-4fb0-a645-5db2c1223a32" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--eabde43f-1872-499d-9642-85a6959c4d28", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0791", + "external_id": "DET0791" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of User Execution", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--d937e4b8-20f2-44c1-9940-48c74318c715" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--33dd1c37-1702-4de2-9712-fcc640e4b681", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0736", + "external_id": "DET0736" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Commonly Used Port", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--981b659b-992a-4d71-9404-0e1b2b598e50" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--04bcf663-e6cd-42bf-8864-f4d1ad345263", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0780", + "external_id": "DET0780" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Rootkit", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--ec695157-8c3c-439b-9925-459c9d4172f0" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--ae24274b-0e20-451e-a883-6eeb0e8e7d00", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0747", + "external_id": "DET0747" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Manipulation of Control", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--383a1a1c-8ecf-4909-9237-14a1f4fc4179" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--3e884c49-75ca-449e-83cb-3517ee88e0f1", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0751", + "external_id": "DET0751" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Screen Capture", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--66070162-d51e-46e7-8d32-2140fd5e7086" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--08c090e3-c56f-4a8b-80f6-307a1daf46ea", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0723", + "external_id": "DET0723" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Denial of Service", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--cff25f71-859e-48bf-88d6-852d05e22b33" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--527668a3-cc0c-48c2-856a-a45615817366", + "created": "2026-04-22T22:56:48.997Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0912", + "external_id": "DET0912" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:28:13.555Z", + "name": "Detection of Block Wi-Fi", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--0b4e7cfa-9f9d-49b0-b5bf-afdf62058c5a" + ], + "x_mitre_domains": [ + "ics-attack" + ] + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--47c6f72c-1f2f-4ea8-94d0-08202b7d5bdb", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0785", + "external_id": "DET0785" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Manipulation of View", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--d71e98fa-64d1-4ddb-acb1-bba1e4af6a73" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--4ea060f9-f6fc-4122-9544-70afd567ea10", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0797", + "external_id": "DET0797" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Block Serial COM", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--354b93da-06e9-4634-a5fd-7f9b7b3a9d5a" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--ffeac6e1-798f-41b1-8baf-2650d2ebe031", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0724", + "external_id": "DET0724" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Valid Accounts", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--ddfcd948-3526-4241-a12f-d7bf63468e40" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--336b9423-5543-4354-bd00-13c614ccdc96", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0771", + "external_id": "DET0771" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Change Credential", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--d3023733-5874-4746-a947-65925514e382" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--73773bb8-c63b-4d48-9b48-33440f12a514", + "created": "2026-04-22T15:56:01.514Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0904", + "external_id": "DET0904" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:30:02.969Z", + "name": "Detection of Firmware Modification", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--fc6641ac-5748-4498-89e9-d4ada2b6f88a" + ], + "x_mitre_domains": [ + "ics-attack" + ] + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--c94af5cb-61c3-4180-81e7-30c1669f4252", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0774", + "external_id": "DET0774" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of I/O Image", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--c40ddd75-f2fc-4899-bda1-bff164c96622" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--ad675d25-2829-48e5-8475-28f1ed5d813a", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0773", + "external_id": "DET0773" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Manipulate I/O Image", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--7841eb6b-8a05-4754-b738-a475bfbb89fb" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--b6a6d95c-e3b5-438d-a095-3fb0859c8f45", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0764", + "external_id": "DET0764" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Adversary-in-the-Middle", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--afc9e394-147e-49db-81df-953d2d3ea93e" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--67c2be08-d31a-4385-a637-9d1a907c7a26", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -26613,6 +29584,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--09f46edf-33f9-4c23-af2f-74864c27f616", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -26641,6 +29613,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--13412b71-b94e-4aef-912a-44853f8bff05", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -26669,6 +29642,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--a995ba7c-c2c2-4d74-a3da-74e5a192099b", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -26697,6 +29671,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--6f921aa8-deb3-4286-8101-26a7cbe80c0e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -26725,6 +29700,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--bbb288c7-9e40-46bd-b0a1-db4cfef4e1ee", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -26753,6 +29729,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--d8cb1dd3-8bf2-48e7-99db-473481b823a8", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -26781,6 +29758,37 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--c779ee07-ee85-42fe-a2c1-14ce25766cdf", + "created": "2026-04-22T21:48:05.256Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0910", + "external_id": "DET0910" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:27:42.639Z", + "name": "Detection of Block Communications", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--3f052beb-d384-4ebe-b942-2c4ddeb95833" + ], + "x_mitre_domains": [ + "ics-attack" + ] + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--5604323b-6e7a-4801-91ae-4bf591f2e3ac", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -26809,6 +29817,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--f9b7143b-ce86-4cfb-a03a-f39c01904fb1", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -26835,8 +29844,39 @@ ], "x_mitre_deprecated": false }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--ff6456fc-576d-4da5-b561-b58f70961b15", + "created": "2026-04-22T16:29:50.802Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0905", + "external_id": "DET0905" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:30:16.130Z", + "name": "Detection of Insecure Credentials", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--1017530e-423d-4857-80b6-99891bf82d28" + ], + "x_mitre_domains": [ + "ics-attack" + ] + }, { "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6", "created": "2018-01-16T16:13:52.465Z", "revoked": true, @@ -26854,294 +29894,15 @@ "name": "APT34", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": [ "ics-attack" - ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--9ad17e7a-5920-42ac-9bf4-545b99162640", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0792", - "external_id": "DET0792" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Rogue Master", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--37d989e6-14cd-49a4-adec-3d8b72c8dc22" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--e9f6c9ad-7368-43e3-9ba1-c9261323a1d1", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0803", - "external_id": "DET0803" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of External Remote Services", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--908fe88b-d8e2-47d1-b6a4-7a42b3bbe09b" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--f9ea25e7-6e63-4ef1-a8ad-47a4a261e175", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0735", - "external_id": "DET0735" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Scripting", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--302a5327-70cf-44b5-b592-ce9a62014dcc" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--f4f3b9a6-2de0-45a5-8936-2ad9288191b9", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0800", - "external_id": "DET0800" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Network Sniffing", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--28eb77c1-1834-4b7a-a06f-afebb7f2e756" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--636329e6-32b9-4a71-acf8-ae6d01a6b4ef", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0787", - "external_id": "DET0787" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Remote System Information Discovery", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--f123f13f-b6f4-4e86-96cd-14df0e855e0f" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--825106d1-6f44-47a1-b8dd-c3e3b6cecab7", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0777", - "external_id": "DET0777" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Modify Alarm Settings", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--330166da-bc80-4aca-bd41-cbd6b1742812" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--fddbd892-faa2-40e1-b40d-2c6e33c00f14", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0755", - "external_id": "DET0755" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Change Operating Mode", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--78615cd7-6a14-4921-aaa9-2aae0774f0f1" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--74b96bd4-dab9-494e-a540-b7c998581fd5", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0804", - "external_id": "DET0804" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Remote Services", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--058d856a-6356-402f-b3ff-a7c1b6186921" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--09754c36-7be2-4536-aad2-a6c3568ba0e5", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0766", - "external_id": "DET0766" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Project File Infection", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--6e046c4c-6c93-4fdf-a69e-5d81b52d1e9c" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--2145faf1-28da-4ebc-9730-f2e2a8764ced", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0732", - "external_id": "DET0732" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Theft of Operational Information", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--cd4c92f9-3107-45c7-9d95-19a44d7dc92c" - ], - "x_mitre_deprecated": false + ] }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--de675cf4-144e-485c-a761-c72ebcb9e2bc", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27170,6 +29931,385 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--9ad17e7a-5920-42ac-9bf4-545b99162640", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0792", + "external_id": "DET0792" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Rogue Master", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--37d989e6-14cd-49a4-adec-3d8b72c8dc22" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--e9f6c9ad-7368-43e3-9ba1-c9261323a1d1", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0803", + "external_id": "DET0803" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of External Remote Services", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--908fe88b-d8e2-47d1-b6a4-7a42b3bbe09b" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--f9ea25e7-6e63-4ef1-a8ad-47a4a261e175", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0735", + "external_id": "DET0735" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Scripting", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--302a5327-70cf-44b5-b592-ce9a62014dcc" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--e69d1e15-76e1-434c-bd45-0354a10dde8a", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0790", + "external_id": "DET0790" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Module Firmware", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--880a1133-6639-42f0-96a8-3e914426d38b" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--f487a605-0acb-4b12-b157-33b75ebd9a40", + "created": "2026-04-22T14:32:49.664Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0902", + "external_id": "DET0902" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:31:37.796Z", + "name": "Detection of Unauthorized Message", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--613b28ef-88dd-4008-8d7e-206ce55a7cde" + ], + "x_mitre_domains": [ + "ics-attack" + ] + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--f4f3b9a6-2de0-45a5-8936-2ad9288191b9", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0800", + "external_id": "DET0800" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Network Sniffing", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--28eb77c1-1834-4b7a-a06f-afebb7f2e756" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--636329e6-32b9-4a71-acf8-ae6d01a6b4ef", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0787", + "external_id": "DET0787" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Remote System Information Discovery", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--f123f13f-b6f4-4e86-96cd-14df0e855e0f" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--c0e6c96d-8605-407a-9bce-628e7853b07f", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0746", + "external_id": "DET0746" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Spoof Reporting Message", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--32bfb2ab-2ad1-4c00-8428-96bc626c34f3" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--825106d1-6f44-47a1-b8dd-c3e3b6cecab7", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0777", + "external_id": "DET0777" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Modify Alarm Settings", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--330166da-bc80-4aca-bd41-cbd6b1742812" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--fddbd892-faa2-40e1-b40d-2c6e33c00f14", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0755", + "external_id": "DET0755" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Change Operating Mode", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--78615cd7-6a14-4921-aaa9-2aae0774f0f1" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--74b96bd4-dab9-494e-a540-b7c998581fd5", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0804", + "external_id": "DET0804" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Remote Services", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--058d856a-6356-402f-b3ff-a7c1b6186921" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--09754c36-7be2-4536-aad2-a6c3568ba0e5", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0766", + "external_id": "DET0766" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Project File Infection", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--6e046c4c-6c93-4fdf-a69e-5d81b52d1e9c" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--2145faf1-28da-4ebc-9730-f2e2a8764ced", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0732", + "external_id": "DET0732" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "name": "Detection of Theft of Operational Information", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_analytic_refs": [ + "x-mitre-analytic--cd4c92f9-3107-45c7-9d95-19a44d7dc92c" + ], + "x_mitre_deprecated": false + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--89e95503-b02c-43da-90b3-15584b27e6d6", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27198,6 +30338,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--519082ce-24ab-4f6b-9e86-b9443758c9d4", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27226,6 +30367,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--442bf059-f7cf-460b-8200-f35e1e0a0c78", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27263,6 +30405,7 @@ "x_mitre_deprecated": false, "x_mitre_version": "1.0", "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--a07a367a-146c-45a8-a830-d3d337b9befa", "created": "2024-03-25T19:57:07.829Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27286,14 +30429,15 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "ics-attack" - ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--58b4bda4-d69a-4a20-ab67-308c4451a5e8", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27322,6 +30466,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--f1a7e304-d05f-4e48-89b7-8b034f507c32", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27350,6 +30495,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--930b268b-abf0-485f-9854-60c1cfdd2d33", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27375,6 +30521,37 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--56bf71a3-a28b-4a8f-84ed-3a71449d47c0", + "created": "2026-04-22T20:46:31.212Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0909", + "external_id": "DET0909" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:30:28.263Z", + "name": "Detection of Multicast Discovery", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--67861309-0ba7-4713-843e-3def87e396ec" + ], + "x_mitre_domains": [ + "ics-attack" + ] + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--441ded70-7e25-47f1-b55c-0fafb7d4f44c", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27403,34 +30580,7 @@ }, { "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--c0e6c96d-8605-407a-9bce-628e7853b07f", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0746", - "external_id": "DET0746" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Spoof Reporting Message", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.3.0", - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--32bfb2ab-2ad1-4c00-8428-96bc626c34f3" - ], - "x_mitre_deprecated": false - }, - { - "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--b25c4621-5d38-43ee-871e-0e5c02f2f48c", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27459,6 +30609,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--887ae691-a519-4b68-af26-bcea1483cef7", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27487,6 +30638,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--d9469edc-7e55-41bc-8b17-a8db9fc6302e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27515,6 +30667,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--442e5dcf-7f41-4ba5-ba89-aefb0d1c63cf", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27543,6 +30696,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--fb0931d5-8eb9-4db2-a2a4-447c32b29bd4", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27571,6 +30725,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--c7aea5e8-cd8b-4f79-be41-3a446cdde7b7", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27599,6 +30754,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--194cb4dd-81ca-4e64-94e2-911fab1219f9", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27627,34 +30783,37 @@ }, { "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--b04e83cc-8ace-4880-8953-7ce55eb8c427", - "created": "2025-10-21T15:10:28.402Z", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--6bdde391-76eb-4bd7-9e19-e805ab98b7ac", + "created": "2026-04-22T18:52:19.941Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0756", - "external_id": "DET0756" + "url": "https://attack.mitre.org/detectionstrategies/DET0907", + "external_id": "DET0907" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Default Credentials", + "modified": "2026-04-24T20:30:52.373Z", + "name": "Detection of Port Scan", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--51a094bf-b7eb-452a-9b7a-ffac16fce1ac" + ], "x_mitre_domains": [ "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--f12aa823-91cc-40e1-93b7-eaa5f5fa9c4d" - ], - "x_mitre_deprecated": false + ] }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--06443942-ba28-4d13-b4b4-93317d6eafa5", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27683,6 +30842,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--c7737640-99e8-4efb-90ee-39332b623b33", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27711,6 +30871,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--5ba60cf7-738d-4ed4-827c-8c763ad9f0f0", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27739,6 +30900,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--c0abb110-c80e-4d6a-9f27-f2783f8bbfec", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27767,6 +30929,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--62587e44-0623-4b14-bd45-126430eaed4a", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27795,6 +30958,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--e6bc5359-4bd4-4688-9136-ac7a6b561f56", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27823,6 +30987,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--60a55b7b-29a5-437e-83a7-edbe6f3c4415", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27851,6 +31016,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--97914ffd-b189-415e-9309-e63e3be01b1e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27879,6 +31045,37 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--31773402-e407-4ed3-b86c-7a8587dc5ec9", + "created": "2026-04-22T17:55:10.734Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0906", + "external_id": "DET0906" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:31:24.570Z", + "name": "Detection of Siemens Project File Format Infection", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--6a510bf0-0289-4eb0-8645-89f0f4d32cf3" + ], + "x_mitre_domains": [ + "ics-attack" + ] + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--9f3df5ac-caa0-4189-9b9b-dcf2f6bbdc54", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27907,6 +31104,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--8ae936b6-b635-4104-bd11-81c18d90cf97", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27935,6 +31133,37 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--c1645705-a26f-45b2-aa68-ff5c93dfc0f4", + "created": "2026-04-23T00:43:15.974Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0915", + "external_id": "DET0915" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:30:40.347Z", + "name": "Detection of Online Edit", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--22b202f2-d4dd-44dd-b5e1-791ff2aef8ed" + ], + "x_mitre_domains": [ + "ics-attack" + ] + }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--fe11c904-752f-40e2-b269-c53bbb29541a", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27963,6 +31192,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--6d2ba563-0aa9-4f64-a14d-da62b694b495", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -27991,6 +31221,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--1bae319f-03d8-49c9-8bb8-e4f27bb69a11", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -28019,6 +31250,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--e8b537e6-04eb-4168-a206-88cc041edf50", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -28047,6 +31279,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--3a772c6d-fda2-404a-86aa-85a0bdbb43e9", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -28075,6 +31308,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--105c127f-2777-452e-bf61-b0786ee13861", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -28103,34 +31337,37 @@ }, { "type": "x-mitre-detection-strategy", - "id": "x-mitre-detection-strategy--e69d1e15-76e1-434c-bd45-0354a10dde8a", - "created": "2025-10-21T15:10:28.402Z", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--feb80c7a-96cd-4300-b344-4d75b176c9cb", + "created": "2026-04-22T22:42:31.791Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", - "url": "https://attack.mitre.org/detectionstrategies/DET0790", - "external_id": "DET0790" + "url": "https://attack.mitre.org/detectionstrategies/DET0911", + "external_id": "DET0911" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T15:10:28.402Z", - "name": "Detection of Module Firmware", + "modified": "2026-04-24T20:27:51.377Z", + "name": "Detection of Block Ethernet", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--df7f8849-56a7-4e83-9fd7-a4f25227d960" + ], "x_mitre_domains": [ "ics-attack" - ], - "x_mitre_analytic_refs": [ - "x-mitre-analytic--880a1133-6639-42f0-96a8-3e914426d38b" - ], - "x_mitre_deprecated": false + ] }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--3ea60ac7-87a3-4033-9089-258941d8388a", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -28159,6 +31396,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--c4777f1a-1481-4e8a-a3f4-0da57418c808", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -28187,6 +31425,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--ab3f0926-58e2-485e-987c-66b541d9de97", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -28215,6 +31454,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--7f41ed29-fdc6-4c28-ba10-9de1aa129f7e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -28243,6 +31483,7 @@ }, { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--87493fa2-bb78-4e28-b882-d79eecd10740", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -28269,17 +31510,62 @@ ], "x_mitre_deprecated": false }, + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--c4ddc0d7-0296-4d92-9ae1-1a4b7b5d1640", + "created": "2026-04-22T20:32:50.322Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0908", + "external_id": "DET0908" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:29:42.421Z", + "name": "Detection of Broadcast Discovery", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--f6324642-d17d-49d4-90b2-bab9d229d6fa" + ], + "x_mitre_domains": [ + "ics-attack" + ] + }, { "type": "relationship", - "id": "relationship--007a2c53-fc5c-4750-aff0-defb282e178a", - "created": "2023-09-29T16:30:30.829Z", + "id": "relationship--004d6d78-390b-4969-9e88-8b92d33fbfc0", + "created": "2023-09-28T21:09:50.956Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-04-16T23:02:17.814Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--007a2c53-fc5c-4750-aff0-defb282e178a", + "created": "2023-09-29T16:30:30.829Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:00:49.087Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -28287,12 +31573,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--008c7424-73ef-4a99-bcfa-2d96eb7daba0", + "created": "2026-04-22T20:41:47.703Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:41:47.703Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--00b9e63b-57a7-408e-83d6-fc03535010a6", "created": "2023-09-27T14:39:33.141Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", @@ -28312,6 +31614,23 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--00e34880-abdb-418d-9252-0433aa40950e", + "created": "2026-04-22T15:09:56.165Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T15:09:56.165Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--6f318bab-df4a-4a51-b849-e9c2ab2f9c4c", + "target_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6", @@ -28338,15 +31657,31 @@ }, { "type": "relationship", - "id": "relationship--011f1d16-c9f1-48ac-94f1-165466c155f8", - "created": "2023-09-29T18:43:33.176Z", + "id": "relationship--0105c4f6-a34f-4e0e-964b-a7d108ea3e08", + "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-04-28T15:25:59.368Z", + "description": "Ensure devices have an alternative method for communicating in the event that a valid COM port is unavailable.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--011f1d16-c9f1-48ac-94f1-165466c155f8", + "created": "2023-09-29T18:43:33.176Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:00:49.972Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -28359,12 +31694,10 @@ "id": "relationship--012fd76f-1a10-4e48-9306-10ffae3f61dd", "created": "2023-09-29T16:30:58.431Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:50.177Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -28377,12 +31710,10 @@ "id": "relationship--01335508-22bb-4185-a7e2-49ec9bee6423", "created": "2023-09-28T20:15:20.293Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:50.425Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -28409,33 +31740,31 @@ }, { "type": "relationship", - "id": "relationship--01d002a2-696a-4e22-b227-b0b32f54eaf0", - "created": "2023-09-29T18:42:27.894Z", + "id": "relationship--01c8cc53-dfd0-4afc-8df6-e57494bd9e24", + "created": "2026-04-22T16:04:03.195Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:00:50.855Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "modified": "2026-04-23T15:50:26.445Z", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--02117d44-46d2-41f0-a5fb-ba303e6ee124", "created": "2023-09-29T18:55:47.037Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:51.055Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", @@ -28448,12 +31777,10 @@ "id": "relationship--026ba3e5-ae3b-4a8b-83c0-ea8327cd9e50", "created": "2023-09-29T17:42:44.516Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:51.276Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -28483,12 +31810,10 @@ "id": "relationship--02f547fd-2565-4130-a4be-c4ba7b5aeb0c", "created": "2023-09-29T17:59:31.091Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:51.927Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -28501,7 +31826,6 @@ "id": "relationship--03181dba-035f-45e6-a5c9-70d02a96e4f4", "created": "2025-09-24T18:21:15.104Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -28518,12 +31842,10 @@ "id": "relationship--033b4401-261f-498b-89f3-2bad9ff5907a", "created": "2023-09-29T17:58:15.338Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:52.127Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -28531,12 +31853,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--03709641-2bf2-406a-9567-ccf9d0b65017", + "created": "2025-09-29T22:06:21.839Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-09-29T22:06:21.839Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -28554,12 +31892,10 @@ "id": "relationship--03aab956-54f3-4e4b-93a7-6d1898d91b57", "created": "2023-09-29T16:29:03.438Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:52.555Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -28572,7 +31908,6 @@ "id": "relationship--03b4dae7-3b20-4ea9-9f7c-6c97582f98b7", "created": "2024-03-28T14:33:00.899Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Triton-EENews-2017", @@ -28614,7 +31949,6 @@ "id": "relationship--03e80e3c-28b9-4e7f-8b17-7c86d1483b91", "created": "2023-03-30T19:00:12.380Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Keith Stouffer May 2015", @@ -28644,12 +31978,10 @@ "id": "relationship--03e94c12-cd51-4f39-a33d-c66a31bbf361", "created": "2023-09-29T17:40:34.866Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:53.760Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -28662,7 +31994,6 @@ "id": "relationship--0406292e-1288-42ac-b74b-88f5f0a7f1b9", "created": "2025-09-24T18:03:25.211Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -28679,7 +32010,6 @@ "id": "relationship--042243fd-bfe0-4961-96de-a36232d3ff74", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Symantec Security Response July 2014", @@ -28699,6 +32029,23 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--046ca7d3-d2d2-458b-bce4-236bc0f207e5", + "created": "2026-04-22T22:30:00.729Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:30:00.729Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--04882fef-2a6b-40d0-a101-da9c76a3572e", @@ -28738,12 +32085,10 @@ "id": "relationship--04aad4a8-8b8c-45d9-bb34-508fe4792863", "created": "2023-09-28T20:29:11.776Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:54.635Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -28756,7 +32101,6 @@ "id": "relationship--04bf72de-75ba-4d95-ad24-f93ad835180c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", @@ -28778,20 +32122,20 @@ }, { "type": "relationship", - "id": "relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1", - "created": "2020-09-21T17:59:24.739Z", + "id": "relationship--0525121a-0797-4353-98d0-7efc65793157", + "created": "2026-04-22T20:41:30.328Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:24:32.756Z", - "description": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "modified": "2026-04-22T20:41:30.328Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", @@ -28802,7 +32146,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--0f2e4927-401d-430e-96ed-90feb8df1b03", "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", @@ -28815,7 +32158,6 @@ "id": "relationship--058396ca-3af4-444b-b261-74485c47e68c", "created": "2017-05-31T21:33:27.074Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Joe Slowik April 2019", @@ -28837,27 +32179,73 @@ }, { "type": "relationship", - "id": "relationship--0628c6a0-f799-44c4-b68a-95d32d244763", - "created": "2025-09-29T21:56:50.121Z", + "id": "relationship--05d18e5c-9c1f-4ee3-95a2-da62bf1c45f8", + "created": "2026-04-23T00:28:51.179Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-09-29T21:56:50.121Z", + "modified": "2026-04-23T00:28:51.179Z", "relationship_type": "targets", - "source_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "source_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--05e82fa8-d762-4b8f-ae07-019e0f24100b", + "created": "2023-09-29T16:43:28.841Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:02:40.092Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--061271f5-0d51-4011-9451-532cd1efedbd", + "created": "2026-04-23T14:20:03.889Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos-Pipedream", + "description": "DRAGOS. (2022, April 13). Pipedream: Chernovite\u2019s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.", + "url": "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en" + }, + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T14:20:03.889Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can perform a UDP multicast scan of UDP port 27127 to identify Schneider PLCs that use that port for the NetManage protocol.(Citation: Dragos-Pipedream)(Citation: Wylie-22)\n", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--064dfd6f-db5d-48e8-b350-9dd47a270911", "created": "2022-09-28T20:22:09.916Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "CISA-AA22-103A", @@ -28877,12 +32265,27 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--0665de34-d5a5-46ae-a0e5-3021bf48c294", + "created": "2026-04-20T20:54:17.554Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:17.554Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", + "target_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--067932c3-0011-4ca2-9bbe-721c631e4e41", "created": "2021-04-13T12:45:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", @@ -28929,12 +32332,10 @@ "id": "relationship--0750563d-a86c-4822-ab9c-0f2d3c304c6e", "created": "2023-09-28T21:28:51.104Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:57.095Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -28947,12 +32348,10 @@ "id": "relationship--076bfea6-309e-4804-a147-dffe93983481", "created": "2023-09-28T20:16:17.295Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:57.327Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -28965,7 +32364,6 @@ "id": "relationship--077226fd-25b1-4d77-b2e5-d81331ff803b", "created": "2025-09-29T19:02:12.939Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -28979,33 +32377,72 @@ }, { "type": "relationship", - "id": "relationship--07c0e166-f05e-413f-8f3e-f487317c9626", - "created": "2023-03-22T15:53:59.953Z", + "id": "relationship--079705ab-c377-4a5b-b9f3-70ed03419ee2", + "created": "2023-09-29T17:09:59.595Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:00:57.527Z", - "description": "Devices and programs that receive command messages from remote systems (e.g., control servers) should verify those commands before taking any actions on them.", - "relationship_type": "mitigates", - "source_ref": "course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "modified": "2025-04-16T23:01:27.268Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--079dfa0e-16b1-4d5a-a548-46b53de7cd61", + "created": "2026-04-22T16:36:52.234Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:36:52.234Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--07ccd2e1-d4fa-44ff-8d42-95a0942f89d6", + "created": "2023-03-10T20:35:16.772Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:02:59.730Z", + "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.(Citation: Marshall Abrams July 2008)", + "relationship_type": "uses", + "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "target_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--07e06d21-e666-4274-838a-ef9996fdc0cd", "created": "2023-09-28T20:05:45.540Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:57.749Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -29018,12 +32455,10 @@ "id": "relationship--07f11dc3-60d7-42d3-a4f0-82eba85dfe44", "created": "2023-09-29T16:47:20.192Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:57.964Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -29065,6 +32500,48 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--085c2906-24e2-4bc8-8e5d-fded599d798c", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:02:18.254Z", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.(Citation: Department of Homeland Security September 2016)\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--085ccfd8-ef5f-41cb-abc7-be5330c60f4e", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--b04e83cc-8ace-4880-8953-7ce55eb8c427", + "target_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--0861bf03-eadd-45a4-8490-ae2a2939125b", @@ -29074,7 +32551,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--a366d027-d797-4957-949a-870aed0766dd", "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", @@ -29082,52 +32558,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, - { - "type": "relationship", - "id": "relationship--088580e9-ccea-426e-9411-c1de60de650d", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-28T15:24:35.268Z", - "description": "Devices should authenticate all messages between master and outstation assets.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, - { - "type": "relationship", - "id": "relationship--0951222a-42d1-4635-bb12-5285bc6500e0", - "created": "2023-09-28T20:15:45.244Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:00:59.066Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--095456bc-898b-4c76-a062-ff0ea90aeab4", "created": "2023-09-28T21:25:05.393Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:59.310Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -29137,15 +32576,30 @@ }, { "type": "relationship", - "id": "relationship--096c3136-dac9-4729-98c0-c8d870f2bd13", - "created": "2023-09-28T19:42:01.055Z", + "id": "relationship--09676502-c50a-47ca-bbef-fffced52346e", + "created": "2026-04-23T00:09:58.357Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-23T00:09:58.357Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--2e99cd65-aad4-4796-9013-79837d498eb6", + "target_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--096c3136-dac9-4729-98c0-c8d870f2bd13", + "created": "2023-09-28T19:42:01.055Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:00:59.533Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -29155,20 +32609,38 @@ }, { "type": "relationship", - "id": "relationship--09977105-562f-4f45-a151-27a11a18031e", + "id": "relationship--096e7743-c090-4386-a759-d749f00bae61", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:24:35.809Z", - "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", + "modified": "2026-04-23T19:31:58.810Z", + "description": "Review vendor documents and security alerts for potentially unknown or overlooked default credentials within existing devices.\n", "relationship_type": "mitigates", - "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", + "target_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--098ea270-0a22-4922-a585-412d8ee78390", + "created": "2026-04-22T20:41:09.962Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:41:09.962Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", @@ -29179,7 +32651,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--edf989d8-7e25-4ed2-b289-a55dee68a75e", "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", @@ -29192,12 +32663,10 @@ "id": "relationship--09e0c991-1707-431b-a0fd-fd8215e6d552", "created": "2023-09-28T20:30:12.291Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:59.961Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -29210,12 +32679,10 @@ "id": "relationship--09e9ed5d-bf32-4aee-8441-774e21ffbdb6", "created": "2023-09-28T19:53:56.266Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:00.211Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -29228,7 +32695,6 @@ "id": "relationship--0a3b621d-2e88-4392-9963-3fdc40d3cb42", "created": "2025-09-29T22:03:02.738Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -29245,12 +32711,10 @@ "id": "relationship--0a421699-f013-49f4-9d9f-01d95d210510", "created": "2023-09-28T19:37:25.214Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:00.654Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -29263,12 +32727,10 @@ "id": "relationship--0a5002d3-cf0d-4e26-9fc4-8faff7f6578a", "created": "2023-09-29T17:38:04.048Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:00.869Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -29281,7 +32743,6 @@ "id": "relationship--0a5d2136-e1f5-4a54-be64-a558f918bf0d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -29296,15 +32757,47 @@ }, { "type": "relationship", - "id": "relationship--0b2a6fc5-3416-4d78-96cb-f6325c91ab91", - "created": "2023-10-02T20:23:11.865Z", + "id": "relationship--0aefda29-be77-4660-b7a5-a6430f409914", + "created": "2023-10-02T20:18:20.019Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-04-16T23:02:56.338Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--0afaef8a-ed55-4a5b-bbbb-0671a8ffaa79", + "created": "2023-09-29T18:42:27.894Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:00:50.855Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--0b2a6fc5-3416-4d78-96cb-f6325c91ab91", + "created": "2023-10-02T20:23:11.865Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:01:01.311Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", @@ -29317,12 +32810,10 @@ "id": "relationship--0b2d0517-9943-413e-a6f9-30c6d5ce8c42", "created": "2023-09-28T19:59:10.561Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:01.508Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -29332,15 +32823,30 @@ }, { "type": "relationship", - "id": "relationship--0b6cd19f-ee13-4224-9e22-f8a9e626d98f", - "created": "2023-09-28T21:22:48.239Z", + "id": "relationship--0b4198f1-e32d-4430-af65-893d3007be7f", + "created": "2026-04-22T16:09:16.900Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T16:09:16.900Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--0b6cd19f-ee13-4224-9e22-f8a9e626d98f", + "created": "2023-09-28T21:22:48.239Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:01:01.731Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -29353,12 +32859,10 @@ "id": "relationship--0ba1db3a-389a-4937-975b-d2dc0142cb4b", "created": "2023-09-29T18:46:22.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:02.137Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -29371,12 +32875,10 @@ "id": "relationship--0bc90405-24a9-4f84-a1bb-bf953dbca016", "created": "2023-09-28T20:10:34.479Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:02.390Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -29384,12 +32886,29 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--0bdfc1b0-3dd2-4170-a39e-98675202a6d2", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-28T15:25:12.890Z", + "description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Jacqueline O'Leary et al. September 2017", @@ -29423,7 +32942,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--cb273244-c117-4e32-afc7-f72f4e44e179", "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", @@ -29436,7 +32954,6 @@ "id": "relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444", "created": "2017-05-31T21:33:27.074Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017", @@ -29461,7 +32978,6 @@ "id": "relationship--0c27087a-623e-4c22-91ce-aa86ea57d7ab", "created": "2025-09-24T18:19:10.881Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -29475,50 +32991,31 @@ }, { "type": "relationship", - "id": "relationship--0c284ce0-0be2-4164-b686-7c383b246aec", + "id": "relationship--0c68501b-8e36-4d75-9e61-7a518a9ca1f2", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, - "external_references": [ - { - "source_name": "ESET Research Whitepapers September 2018", - "description": "ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" - }, - { - "source_name": "Intel", - "description": "Intel ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 Intel Hardware-based Security Technologies for Intelligent Retail Devices Retrieved. 2020/09/25 ", - "url": "https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf" - }, - { - "source_name": "N/A", - "description": "N/A Trusted Platform Module (TPM) Summary Retrieved. 2020/09/25 ", - "url": "https://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:01:03.032Z", - "description": "Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. (Citation: N/A) Move system's root of trust to hardware to prevent tampering with the SPI flash memory. (Citation: ESET Research Whitepapers September 2018) Technologies such as Intel Boot Guard can assist with this. (Citation: Intel)\n", + "modified": "2025-04-28T15:25:49.358Z", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", "relationship_type": "mitigates", - "source_ref": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--0c72593d-fcc6-4023-8771-bed5e243310e", "created": "2023-09-28T21:24:37.417Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:03.462Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -29526,47 +33023,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-28T15:24:37.713Z", - "description": "Provide an alternative method for sending critical commands message to outstations, this could include using radio/cell communication to send messages to a field technician that physically performs the control function.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, - { - "type": "relationship", - "id": "relationship--0cab29c6-d196-47b0-8621-10ac3c8a95d8", - "created": "2023-09-28T19:51:27.775Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:01:03.908Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", - "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--0cce4090-d079-422c-995e-b4f04b280a7d", "created": "2025-09-29T19:08:40.214Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -29578,12 +33039,70 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--0cd64563-f35e-4cb3-94b9-617c868d3671", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:27:40.834Z", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.(Citation: Department of Homeland Security September 2016)\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--0ce4ccc4-4e9e-4a4b-86d4-3c3838229c3d", + "created": "2026-04-22T22:29:43.440Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:29:43.440Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--0d379c02-d3bb-4698-b30c-985705a9bfd7", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--05f7d4e4-ae99-4339-b71a-59f1e317dc6d", + "target_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--0d4f2f88-e176-42c7-8258-52b345045662", "created": "2022-09-28T20:29:51.844Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "CISA-AA22-103A", @@ -29608,12 +33127,10 @@ "id": "relationship--0d52eea3-394e-492b-944b-9ccb6348329d", "created": "2023-09-28T21:14:41.633Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:04.553Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -29621,12 +33138,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--0d537021-040f-4592-a3e0-006be5502615", + "created": "2026-04-22T22:49:50.189Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:49:50.189Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--0d563cbc-b22c-4748-b082-db98bb7f0dab", "created": "2024-11-20T23:08:24.321Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos FROSTYGOOP 2024", @@ -29651,51 +33184,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--0d617f2e-5c61-419b-9573-35d63fe1df1c", - "created": "2025-09-29T19:02:59.197Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-09-29T19:02:59.197Z", - "relationship_type": "targets", - "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.3.0" - }, - { - "type": "relationship", - "id": "relationship--0d76f813-9d83-4d23-9604-966b71b562f8", - "created": "2025-09-29T19:48:07.839Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-09-29T19:48:07.839Z", - "relationship_type": "targets", - "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.3.0" - }, { "type": "relationship", "id": "relationship--0d8e0324-ba8e-4712-a123-60377afe94da", "created": "2023-09-29T18:48:17.073Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:05.201Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -29705,15 +33202,30 @@ }, { "type": "relationship", - "id": "relationship--0dbf48f3-4579-4ca2-aceb-19d3e0449136", - "created": "2023-09-29T17:57:12.010Z", + "id": "relationship--0d985b02-cf5f-4307-92ef-9b45eb41bb1b", + "created": "2026-04-23T00:32:54.549Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-23T00:32:54.549Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--e90f1c0c-f2c5-4fe1-942f-411574df043f", + "target_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--0dbf48f3-4579-4ca2-aceb-19d3e0449136", + "created": "2023-09-29T17:57:12.010Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:01:05.408Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -29743,7 +33255,6 @@ "id": "relationship--0e0eed7f-1569-4596-9931-bca61a35dc3b", "created": "2025-09-29T21:59:48.001Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -29760,12 +33271,10 @@ "id": "relationship--0e191d66-fe38-4f28-ad82-6922bd6bcc81", "created": "2024-04-09T20:58:17.933Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:06.044Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -29778,12 +33287,10 @@ "id": "relationship--0e263b73-a033-4fac-9d6d-076ab8f8b954", "created": "2023-09-29T16:27:50.949Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:06.275Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -29796,7 +33303,6 @@ "id": "relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", @@ -29838,7 +33344,6 @@ "id": "relationship--0e9d5ca1-5bb1-415f-b31b-d4187d58f4ae", "created": "2025-09-29T19:07:47.713Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -29850,12 +33355,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--0e9d621b-7d0b-4490-b46f-2a671abca251", + "created": "2026-04-22T21:40:02.113Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:40:02.113Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos", @@ -29880,12 +33401,10 @@ "id": "relationship--0ef1e408-8ebb-4b28-b619-02914b7bae29", "created": "2023-09-29T17:57:34.378Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:07.422Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -29898,7 +33417,6 @@ "id": "relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Andy Greenburg June 2019", @@ -29928,7 +33446,6 @@ "id": "relationship--0f20baa2-20cd-49de-bfa4-5b9765ceacf1", "created": "2025-09-29T19:47:19.964Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -29942,15 +33459,31 @@ }, { "type": "relationship", - "id": "relationship--0f5295ce-d705-4541-8dda-c569b126d103", - "created": "2023-10-02T20:24:03.723Z", + "id": "relationship--0f41614d-c37c-47d1-9616-6dae9b73b532", + "created": "2026-04-22T17:51:17.695Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-23T16:19:22.209Z", + "description": "Allow for code signing of any project files stored at rest to prevent unauthorized tampering. Ensure the signing keys are not easily accessible on the same system.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--354ca909-b54d-4c41-b597-9c296b344a43", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--0f5295ce-d705-4541-8dda-c569b126d103", + "created": "2023-10-02T20:24:03.723Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:01:07.855Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", @@ -29963,12 +33496,10 @@ "id": "relationship--0f5710a7-f015-40b8-ad3d-f281699f2b72", "created": "2023-09-29T17:09:11.210Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:08.076Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", @@ -29976,6 +33507,51 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--0f7a9b56-e3b4-4cc9-9ea7-32faebad74b6", + "created": "2026-04-22T17:59:09.398Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Aditya K Sood July 2019", + "description": "Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25 ", + "url": "https://www.helpnetsecurity.com/2019/07/10/bacnet-devices/" + }, + { + "source_name": "Colin Gray", + "description": "Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25 ", + "url": "https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6891_HowSDN_CG_20180720_Web2.pdf?v=20190312-231901" + }, + { + "source_name": "D. Parsons and D. Wylie September 2019", + "description": "D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 ", + "url": "https://www.csiac.org/journal-article/practical-industrial-control-system-ics-cybersecurity-it-and-ot-have-converged-discover-and-defend-your-assets/" + }, + { + "source_name": "Josh Rinaldi April 2016", + "description": "Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25 ", + "url": "https://www.rtautomation.com/rtas-blog/still-a-thrill-opc-ua-device-discovery/" + }, + { + "source_name": "Langner November 2018", + "description": "Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25 ", + "url": "https://www.langner.com/2018/11/why-ethernet-ip-changes-the-ot-asset-discovery-game/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:42:26.192Z", + "description": "ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols.(Citation: D. Parsons and D. Wylie September 2019)(Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery(Citation: Josh Rinaldi April 2016), BACnet(Citation: Aditya K Sood July 2019), and Ethernet/IP.(Citation: Langner November 2018)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd", @@ -29993,6 +33569,23 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--0fd7d59d-9622-41c0-8e41-4ac4d1ac6655", + "created": "2023-09-28T19:56:40.730Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:04:31.162Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b", @@ -30027,12 +33620,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--10022aa8-b77b-4173-bcea-bc92d2b9f756", + "created": "2026-04-22T18:59:05.627Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T18:59:05.627Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--10118728-17b8-41a2-b4d6-d8661bc177df", "created": "2025-09-29T19:06:51.691Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -30044,6 +33653,23 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--102553a8-d57d-4946-a9f0-086ef1683e1d", + "created": "2026-04-22T22:32:16.270Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:32:16.270Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--bb141168-ae41-4974-8ece-dc9b63e59237", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523", @@ -30090,12 +33716,10 @@ "id": "relationship--106530e1-375a-4ac4-befb-8297b3b05610", "created": "2023-09-29T18:55:58.199Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:09.431Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", @@ -30120,23 +33744,6 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--10bdec75-567b-4b5a-aaa9-d935ebbba349", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "description": "", - "relationship_type": "detects", - "source_ref": "x-mitre-detection-strategy--2a1619a7-dd27-48e4-b56f-806cb3d2e405", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.3.0" - }, { "type": "relationship", "id": "relationship--111f437a-c67d-40e4-9515-7e9b22e65eff", @@ -30173,15 +33780,30 @@ }, { "type": "relationship", - "id": "relationship--11840b30-f0d1-4df5-a960-cdb80749c32a", - "created": "2023-09-29T17:07:25.209Z", + "id": "relationship--112ef370-9936-4c3a-9faf-2861600500bd", + "created": "2025-09-29T22:06:41.935Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-09-29T22:06:41.935Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--11840b30-f0d1-4df5-a960-cdb80749c32a", + "created": "2023-09-29T17:07:25.209Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:01:10.529Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", @@ -30191,15 +33813,29 @@ }, { "type": "relationship", - "id": "relationship--11a82651-4d69-4738-89c6-17d0243cbbb0", - "created": "2023-09-29T17:37:26.536Z", + "id": "relationship--119aea8f-443f-4831-8143-ec6cd43021cb", + "created": "2026-04-20T20:58:48.359Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-20T20:58:48.359Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--11a82651-4d69-4738-89c6-17d0243cbbb0", + "created": "2023-09-29T17:37:26.536Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:01:10.753Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -30207,12 +33843,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--11b201bc-675b-46ac-89a6-80f90deecc12", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--2a1619a7-dd27-48e4-b56f-806cb3d2e405", + "target_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab", "created": "2021-04-13T12:28:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Ben Hunter and Fred Gutierrez July 2020", @@ -30242,12 +33894,10 @@ "id": "relationship--128de3f9-df58-4122-9523-0ac65a6ebf71", "created": "2023-09-29T17:45:20.237Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:11.438Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -30301,12 +33951,10 @@ "id": "relationship--12d6fc4f-bf06-4146-a387-4cb86f0f44a4", "created": "2023-09-28T21:13:23.057Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:12.182Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -30319,7 +33967,6 @@ "id": "relationship--12e84466-fb05-4d55-9220-5933ee0fcb43", "created": "2024-11-20T23:16:42.816Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos FROSTYGOOP 2024", @@ -30344,12 +33991,10 @@ "id": "relationship--12fdacea-28f7-4113-ae67-0b19e1ab5e36", "created": "2023-09-28T19:39:58.335Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:12.635Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -30362,7 +34007,6 @@ "id": "relationship--135b08ae-715b-4f45-9f03-0d156547e09b", "created": "2025-09-24T18:18:19.305Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -30374,12 +34018,29 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--137ce4a2-be4c-4eb7-b92c-d686fa2a1044", + "created": "2026-04-23T00:04:33.425Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:32:08.567Z", + "description": "Utilize code signatures to verify the integrity and authenticity of programs downloaded to the device.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--13809e98-1d74-4c39-b882-9d523c76cbde", "created": "2021-04-13T12:36:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Jos Wetzels January 2018", @@ -30401,27 +34062,26 @@ }, { "type": "relationship", - "id": "relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984", - "created": "2020-09-21T17:59:24.739Z", + "id": "relationship--13cfe7cd-6ee4-4d8c-8c3e-b115686b7da7", + "created": "2026-04-22T21:39:01.006Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:24:43.876Z", - "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "modified": "2026-04-22T21:39:01.006Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--13d76624-7049-45c5-94d3-8f172b7f6336", "created": "2023-09-27T14:48:58.922Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", @@ -30441,6 +34101,23 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--14055bc9-dc7c-47db-b541-77d05d486018", + "created": "2023-09-29T17:57:55.162Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:02:20.428Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--14178a60-b894-4186-b83b-5ffd043f4cfc", @@ -30450,7 +34127,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--709e05b2-6400-43a2-9bbf-b64f6017b023", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", @@ -30463,12 +34139,10 @@ "id": "relationship--1429cd78-4e2a-4898-a7d8-d01a0c465bd6", "created": "2023-10-02T20:24:12.666Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:13.959Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", @@ -30481,12 +34155,10 @@ "id": "relationship--144f6ce7-d2b2-4a76-85d2-251191a0d2cc", "created": "2023-09-29T16:32:33.078Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:14.173Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -30494,34 +34166,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--147c2158-b2af-4d88-9d59-594c67a9200e", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-28T15:24:44.608Z", - "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--14c73603-a6d2-4a8d-9904-0f8249aaa495", "created": "2023-09-29T16:40:06.079Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:14.631Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -30529,6 +34182,23 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--152dbbf5-b069-4784-aabd-c50e2fd6bd53", + "created": "2026-04-22T22:51:33.389Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:51:33.389Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--bb553fda-8355-40bc-87c6-5ae25124fa95", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--1531a280-e280-465c-826d-ce357935a89c", @@ -30538,7 +34208,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--ec442b22-3dc8-4b2b-8294-b76b0f01d748", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", @@ -30551,12 +34220,10 @@ "id": "relationship--15377914-bf08-4c7e-ab00-1e272e2f3c1a", "created": "2023-09-28T19:47:25.303Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:15.092Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -30564,17 +34231,40 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--1582107d-95dd-41ba-b2c0-72200b93a292", + "created": "2026-04-22T20:17:49.689Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:18:26.772Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries changed the login password of Moxa NPort Serial Device Servers to impede system recovery.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--159fb736-ba92-4564-aa6d-db6f64497763", "created": "2023-09-28T20:25:59.717Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:15.566Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -30582,23 +34272,6 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--15cf990b-ee67-4f86-a06b-20691274568a", - "created": "2025-09-24T17:57:31.366Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-09-24T17:57:31.366Z", - "relationship_type": "targets", - "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "target_ref": "x-mitre-asset--bb553fda-8355-40bc-87c6-5ae25124fa95", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.3.0" - }, { "type": "relationship", "id": "relationship--165e3427-8738-4a89-9964-4593c671e855", @@ -30608,7 +34281,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--b817139c-2941-4523-bfb5-10c36d230871", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", @@ -30621,7 +34293,6 @@ "id": "relationship--1673b2e2-7799-4b5f-b5a9-2c51426a6916", "created": "2024-03-25T20:10:21.706Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Jamie Tarabay and Katrina Manson December 2023", @@ -30646,12 +34317,10 @@ "id": "relationship--16ac0172-02d1-4fda-99c0-61f1cef7dc4b", "created": "2023-09-28T20:06:03.889Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:16.202Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -30664,12 +34333,10 @@ "id": "relationship--16b74b29-e3b3-49ff-9ff4-cd7ade0f8ff4", "created": "2023-09-29T18:48:52.853Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:16.427Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -30677,17 +34344,40 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--16b92a53-7334-42b1-bc55-dcd4907fdd9f", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:27:59.202Z", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems.(Citation: Department of Homeland Security September 2016)\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--16c7240e-0559-4c49-9003-1bfe97074252", "created": "2024-04-09T21:02:28.446Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:16.647Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", @@ -30704,7 +34394,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--7f32731d-7800-483c-b077-c4a187a27ae5", "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", @@ -30721,7 +34410,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--37b4971d-2eb8-4f87-899c-19acaf0394bb", "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", @@ -30729,12 +34417,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--171ed9c4-35f4-4674-b52d-d920c1a08912", + "created": "2026-04-22T13:30:11.351Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T13:30:11.351Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--172e0537-7a9c-4610-9b07-32a841f0bd8d", "created": "2023-03-30T18:57:58.377Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Symantec", @@ -30759,12 +34463,10 @@ "id": "relationship--1736df4d-188e-4a44-a8b3-6c6cd71dc749", "created": "2023-09-29T17:05:30.498Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:17.069Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", @@ -30772,6 +34474,51 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--17925772-5935-4f50-bf0e-abb5e0bad6b3", + "created": "2026-04-22T20:42:55.066Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Aditya K Sood July 2019", + "description": "Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25 ", + "url": "https://www.helpnetsecurity.com/2019/07/10/bacnet-devices/" + }, + { + "source_name": "Colin Gray", + "description": "Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25 ", + "url": "https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6891_HowSDN_CG_20180720_Web2.pdf?v=20190312-231901" + }, + { + "source_name": "D. Parsons and D. Wylie September 2019", + "description": "D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 ", + "url": "https://www.csiac.org/journal-article/practical-industrial-control-system-ics-cybersecurity-it-and-ot-have-converged-discover-and-defend-your-assets/" + }, + { + "source_name": "Josh Rinaldi April 2016", + "description": "Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25 ", + "url": "https://www.rtautomation.com/rtas-blog/still-a-thrill-opc-ua-device-discovery/" + }, + { + "source_name": "Langner November 2018", + "description": "Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25 ", + "url": "https://www.langner.com/2018/11/why-ethernet-ip-changes-the-ot-asset-discovery-game/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:46:57.236Z", + "description": "ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols.(Citation: D. Parsons and D. Wylie September 2019)(Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery (Citation: Josh Rinaldi April 2016), BACnet(Citation: Aditya K Sood July 2019), and Ethernet/IP.(Citation: Langner November 2018)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34", @@ -30789,35 +34536,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--17d5794d-dcd5-4e0f-87e4-87d41c24b5fa", - "created": "2023-10-02T20:18:01.546Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:01:17.536Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--17fd7ffd-63d9-4e1e-8b19-38095b2d65ab", "created": "2023-09-29T17:45:45.485Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:17.759Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -30825,30 +34552,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--17fdec71-98e8-4314-a1be-037edede58bd", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:01:17.963Z", - "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", - "relationship_type": "mitigates", - "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--182010e6-59c2-42f5-91c7-510891a96483", "created": "2025-09-24T17:56:45.611Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -30865,12 +34573,10 @@ "id": "relationship--1865830b-511d-4302-99f7-6143647a8e40", "created": "2023-10-02T20:23:52.339Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:18.192Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", @@ -30878,12 +34584,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--18a562d1-0118-4675-9d66-8e9cc138dd43", + "created": "2026-04-22T13:29:20.975Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T13:29:20.975Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--18ab56e8-79ce-481d-9ab4-e558fbfb5ac5", "created": "2024-03-25T20:08:41.065Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "CISA AA23-335A IRGC-Affiliated December 2023", @@ -30928,12 +34650,10 @@ "id": "relationship--18af193c-160a-4cae-9078-4d69de5c2347", "created": "2023-09-29T18:56:21.340Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:18.630Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", @@ -30950,7 +34670,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--732d2487-3241-4866-8bb5-044bb4acdd3b", "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", @@ -30963,7 +34682,6 @@ "id": "relationship--18cb8770-09ab-48aa-8ead-b3d0030e47dc", "created": "2025-09-29T19:50:12.817Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -30980,12 +34698,10 @@ "id": "relationship--18cdfacf-4eba-4049-b85f-d1cab5106c75", "created": "2023-09-29T18:02:01.822Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:18.861Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -31026,7 +34742,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--eabde43f-1872-499d-9642-85a6959c4d28", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", @@ -31063,42 +34778,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--19c0d2bc-8de9-47c3-a1ee-63abc07c4348", - "created": "2022-09-28T21:18:55.279Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "CISA-AA22-103A", - "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", - "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:01:19.765Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can send custom Modbus commands to write register values on Schneider PLCs.(Citation: CISA-AA22-103A) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can send write tag values on OPC UA servers.(Citation: CISA-AA22-103A) ", - "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--19df16da-8247-45ef-be13-ba58b1fb9c1c", "created": "2023-09-28T20:11:23.956Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:19.981Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -31111,12 +34799,10 @@ "id": "relationship--19e9b914-3cb9-430c-ae02-f8e93fc2d826", "created": "2023-09-28T21:13:49.529Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:20.204Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -31129,12 +34815,10 @@ "id": "relationship--1a3ecee5-0237-4e01-8f02-90092c15a2f0", "created": "2023-10-02T20:18:45.122Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:20.422Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", @@ -31161,15 +34845,30 @@ }, { "type": "relationship", - "id": "relationship--1a900ac4-c150-4b57-a899-990854b01d4b", - "created": "2023-09-29T16:33:50.423Z", + "id": "relationship--1a6d5c5a-c1ac-41a6-8b6e-0d5df81b219f", + "created": "2026-04-22T16:40:14.974Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T16:40:14.974Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--1a900ac4-c150-4b57-a899-990854b01d4b", + "created": "2023-09-29T16:33:50.423Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:01:20.874Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -31182,12 +34881,10 @@ "id": "relationship--1a96ad0d-84df-4b6b-ba4c-8559de5ec356", "created": "2023-09-29T18:57:45.950Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:21.089Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", @@ -31200,12 +34897,10 @@ "id": "relationship--1a9ca148-a456-4b66-805f-a2bdfc7a947d", "created": "2023-09-28T20:09:21.736Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:21.309Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -31230,47 +34925,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--1acc3a43-2961-4e4c-a237-f426a2df6be5", - "created": "2024-03-25T20:05:52.868Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "CISA AA23-335A IRGC-Affiliated December 2023", - "description": "DHS/CISA. (2023, December 1). IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities. Retrieved March 25, 2024.", - "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a" - }, - { - "source_name": "CISA Unitronics November 2023", - "description": "DHS/CISA. (2023, November 28). Exploitation of Unitronics PLCs used in Water and Wastewater Systems. Retrieved March 25, 2024.", - "url": "https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:01:21.720Z", - "description": "During the [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031), the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) discovered and exploited default credentials found on many Unitronics [Programmable Logic Controller (PLC)](https://attack.mitre.org/assets/A0003) [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002). For many of these devices, the default password was set to \u20181111\u2019.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)(Citation: CISA Unitronics November 2023)", - "relationship_type": "uses", - "source_ref": "campaign--8fda050f-470d-4401-994e-35c1a6c301de", - "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--1af5c5bb-0d97-4c0a-9174-4dee1ff8b185", "created": "2023-09-29T18:01:06.725Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:22.157Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -31283,7 +34946,6 @@ "id": "relationship--1b36c370-6e82-4c2f-936d-a6fe8aafc73d", "created": "2024-09-11T22:51:15.202Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Claroty Fuxnet 2024", @@ -31308,12 +34970,10 @@ "id": "relationship--1b94c927-0445-4ed8-80f1-7b31418f60b5", "created": "2023-09-29T17:43:41.332Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:22.572Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -31326,12 +34986,10 @@ "id": "relationship--1ba485c9-951e-4e07-8e69-1d0efc372f6b", "created": "2023-09-29T16:41:44.745Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:22.779Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -31344,7 +35002,6 @@ "id": "relationship--1bb30143-97e5-4bbd-9c2b-1d8de70aa10c", "created": "2025-09-24T18:24:36.494Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -31358,15 +35015,29 @@ }, { "type": "relationship", - "id": "relationship--1bea0610-432c-4cd7-8e0e-8b7bbd09d738", - "created": "2023-09-29T18:00:32.581Z", + "id": "relationship--1bb7b8cf-b584-427c-97e8-e4b60750d308", + "created": "2026-04-20T20:54:20.114Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-20T20:54:20.114Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--354ca909-b54d-4c41-b597-9c296b344a43", + "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--1bea0610-432c-4cd7-8e0e-8b7bbd09d738", + "created": "2023-09-29T18:00:32.581Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:01:22.979Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -31390,26 +35061,24 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:01:23.423Z", - "description": "Provide the ability to verify the integrity of programs downloaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", + "modified": "2026-04-23T20:02:42.183Z", + "description": "Provide the ability to verify the integrity of programs downloaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used.(Citation: IEC February 2019)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--1c7df4f1-cee5-42c6-a974-29552552666f", "created": "2023-09-28T19:47:08.952Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:23.628Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -31423,36 +35092,44 @@ "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:01:23.875Z", - "description": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 61850 payload component has the ability to discover relevant devices in the infected host's network subnet by attempting to connect on port 102.(Citation: Anton Cherepanov, ESET June 2017)\n\n[Industroyer](https://attack.mitre.org/software/S0604) contains an OPC DA module that enumerates all OPC servers using the `ICatInformation::EnumClassesOfCategories` method with `CATID_OPCDAServer20` category identifier and `IOPCServer::GetStatus` to identify the ones running.", + "modified": "2026-04-23T14:12:46.565Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) contains an OPC DA module that enumerates all OPC servers using the `ICatInformation::EnumClassesOfCategories` method with `CATID_OPCDAServer20` category identifier and `IOPCServer::GetStatus` to identify the ones running.", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--1cb7bae3-c3d7-43ba-8e51-3fd4d13b7680", + "created": "2023-09-29T17:04:26.769Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:01:46.267Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--1cf89a8b-c0f6-4ffb-ae39-36e2a9d3b081", "created": "2023-09-29T18:46:12.052Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:24.077Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -31465,7 +35142,6 @@ "id": "relationship--1d0daee9-621c-47c8-b9f3-3b9a6dc5ea13", "created": "2025-09-29T19:46:29.316Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -31482,7 +35158,6 @@ "id": "relationship--1d35c947-447f-4693-9ab0-32dff56e664e", "created": "2021-04-13T12:45:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", @@ -31511,7 +35186,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--33dd1c37-1702-4de2-9712-fcc640e4b681", "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", @@ -31524,12 +35198,10 @@ "id": "relationship--1d6fa472-a1fe-4657-a60d-c7f1c39b1653", "created": "2023-09-29T17:40:22.705Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:24.766Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -31542,7 +35214,6 @@ "id": "relationship--1dad5efc-395f-4b92-8f4f-3e987a4d5e57", "created": "2023-09-27T13:22:26.752Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", @@ -31567,7 +35238,6 @@ "id": "relationship--1dc35f79-0ada-4342-bd13-10d10c1b0335", "created": "2021-04-13T12:28:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Ben Hunter and Fred Gutierrez July 2020", @@ -31589,43 +35259,75 @@ }, { "type": "relationship", - "id": "relationship--1f393d04-36db-4bae-a2a4-53ff12a1240e", - "created": "2023-09-28T21:12:25.345Z", + "id": "relationship--1dd94603-3686-4dd5-b0be-2cdc43b0c1fb", + "created": "2025-09-29T19:51:44.664Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:01:25.760Z", - "description": "", + "modified": "2025-09-29T19:51:44.665Z", "relationship_type": "targets", - "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", - "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", - "id": "relationship--1f785984-791e-4612-be32-9ee6903a9c0b", - "created": "2022-09-28T20:26:09.928Z", + "id": "relationship--1ddb73e6-b7a8-4f4d-bf8b-f9de3a5ef52a", + "created": "2026-04-23T00:03:40.026Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Wylie-22", - "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", - "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:01:26.160Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can login to Omron PLCs using hardcoded credentials, which is documented in CVE-2022-34151.(Citation: Wylie-22) ", - "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "modified": "2026-04-23T20:06:11.973Z", + "description": "Provide the ability to verify the integrity of programs downloaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used.(Citation: IEC February 2019)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--1efbe3b3-4e8d-4f3f-b9f9-098c85840e33", + "created": "2026-04-22T16:39:31.542Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:39:31.542Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--1f393d04-36db-4bae-a2a4-53ff12a1240e", + "created": "2023-09-28T21:12:25.345Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:01:25.760Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" @@ -31647,6 +35349,22 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--1f886c01-1fff-452e-bb24-009c91be9b69", + "created": "2026-04-20T20:54:18.047Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:18.047Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--1f8abf6f-0dd0-4449-b555-733fe7296177", @@ -31663,14 +35381,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:01:26.813Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System. (Citation: Jos Wetzels January 2018)", + "modified": "2026-04-23T18:40:49.819Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System.(Citation: Jos Wetzels January 2018)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", @@ -31689,30 +35407,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--1fd49958-9695-4137-9aaa-57fde4b97cc8", - "created": "2023-09-29T17:09:59.595Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:01:27.268Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437", "created": "2021-04-12T18:49:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Tom Fakterman August 2019", @@ -31737,12 +35436,10 @@ "id": "relationship--1fd5badc-0e9f-462c-9738-550e7e8d8ae3", "created": "2023-09-28T19:54:37.802Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:27.677Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -31759,7 +35456,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--04bcf663-e6cd-42bf-8864-f4d1ad345263", "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", @@ -31776,7 +35472,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--ae24274b-0e20-451e-a883-6eeb0e8e7d00", "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", @@ -31784,51 +35479,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, - { - "type": "relationship", - "id": "relationship--206cc4c8-797e-427b-86f1-4c81df391c6e", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "Karen Scarfone; Paul Hoffman September 2009", - "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", - "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" - }, - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - }, - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - }, - { - "source_name": "Dwight Anderson 2014", - "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", - "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-28T15:24:52.265Z", - "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--2087b2b9-3b30-45be-abcd-4320bf0fa66b", "created": "2023-03-30T19:26:19.782Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Industroyer2 Mandiant April 2022", @@ -31882,12 +35537,10 @@ "id": "relationship--208fe57b-cf2e-4188-8a6f-77597cd60351", "created": "2023-09-29T17:44:43.317Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:29.056Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -31900,7 +35553,6 @@ "id": "relationship--20913dc0-33cc-43f8-bd34-a2f9a4a5fbd3", "created": "2025-09-24T18:24:19.525Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -31912,6 +35564,23 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--2091a0be-48ce-4d5c-963b-8ba2842b57e3", + "created": "2026-04-22T20:36:02.162Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:36:02.162Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84", @@ -31934,7 +35603,6 @@ "id": "relationship--20f66fab-7a08-4707-ac79-92dac5acd11d", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", @@ -31959,7 +35627,6 @@ "id": "relationship--21041206-da58-45c7-adb0-db07caebdcb6", "created": "2021-04-13T12:36:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", @@ -31984,12 +35651,10 @@ "id": "relationship--21058f32-3d6e-4381-9288-5c2248e84cce", "created": "2023-09-29T18:44:27.240Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:29.950Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -32002,12 +35667,10 @@ "id": "relationship--2138f4ee-5111-4469-92bb-1fc82a6822b4", "created": "2023-09-28T19:44:53.873Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:30.435Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -32020,12 +35683,10 @@ "id": "relationship--21470001-67f2-47cf-af21-784e5024ac1d", "created": "2023-09-29T18:01:22.023Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:30.632Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -32038,12 +35699,10 @@ "id": "relationship--2159458f-87fc-4479-81f4-a2521a378221", "created": "2023-09-28T21:22:09.790Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:31.056Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -32056,12 +35715,10 @@ "id": "relationship--21aa6331-3419-4049-b180-8349b71e1f2a", "created": "2023-09-28T21:11:03.947Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:31.273Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -32093,12 +35750,36 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--21c7b1bb-ba40-4843-b462-079b1b85c01b", + "created": "2026-04-22T16:08:04.299Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:08:41.550Z", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems.(Citation: Department of Homeland Security September 2016)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--21e0e769-cc74-4e3b-8f88-072ebf8eaaf2", "created": "2025-09-29T19:24:56.529Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -32143,7 +35824,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--3e884c49-75ca-449e-83cb-3517ee88e0f1", "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", @@ -32156,7 +35836,6 @@ "id": "relationship--22448288-32d9-4d2c-be16-0784e119fff1", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -32174,12 +35853,10 @@ "id": "relationship--22548926-29b4-4882-9878-633375489c0e", "created": "2023-09-28T20:30:50.842Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:32.138Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -32192,7 +35869,6 @@ "id": "relationship--2287eabb-5349-4d3e-938a-7d6023d7e02c", "created": "2025-09-29T22:04:12.484Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -32209,12 +35885,10 @@ "id": "relationship--2289f005-7863-4af5-b681-cdfc03d3f111", "created": "2023-09-29T18:56:08.414Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:32.376Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", @@ -32227,7 +35901,6 @@ "id": "relationship--228b9a13-0545-4ecf-99ff-be02addaf7fe", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "ESET", @@ -32249,33 +35922,29 @@ }, { "type": "relationship", - "id": "relationship--22ba5443-ea49-4076-a666-722eb5352f70", - "created": "2023-09-28T20:02:45.697Z", + "id": "relationship--22ae18ec-d856-483c-a2ab-9db0739b0475", + "created": "2026-04-20T20:54:19.543Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:01:32.818Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "modified": "2026-04-20T20:54:19.543Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--6b335943-c3af-430e-a135-ab09623bdc20", + "target_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--232c7049-7609-46a9-8bbe-38672713f853", "created": "2023-09-28T21:15:32.371Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:33.029Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -32288,12 +35957,10 @@ "id": "relationship--2346cbf5-b3c8-4110-a66c-6194251d4d49", "created": "2023-09-29T16:43:53.940Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:33.285Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -32301,23 +35968,6 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--234da455-b795-4788-bc5d-22b4b58b2dc7", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-28T15:24:55.506Z", - "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--23564002-f836-4da6-a083-e086a606f0eb", @@ -32327,7 +35977,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--08c090e3-c56f-4a8b-80f6-307a1daf46ea", "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", @@ -32337,15 +35986,29 @@ }, { "type": "relationship", - "id": "relationship--23851bda-49de-4f35-979f-c4e6b5742389", - "created": "2024-04-09T20:59:53.669Z", + "id": "relationship--2361ff8c-68a1-4899-a046-ba1b083272de", + "created": "2026-04-20T20:54:23.490Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-20T20:54:23.490Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--23851bda-49de-4f35-979f-c4e6b5742389", + "created": "2024-04-09T20:59:53.669Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:01:33.748Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -32358,7 +36021,6 @@ "id": "relationship--238f967a-0c29-4aa3-bbb5-3dc593473bbf", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Microsoft Security Response Center August 2017", @@ -32383,6 +36045,24 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--23f33619-c64e-4999-85c1-b5c88e570e46", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-28T15:25:13.765Z", + "description": "Ensure embedded controls and network devices are protected through access management, as these devices often have unknown default accounts which could be used to gain unauthorized access.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--242b5a0d-e4e8-4ceb-a975-cf8efd64e981", @@ -32424,17 +36104,40 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--2445124d-1fc9-49ad-8715-96053f39d717", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", + "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:03:30.532Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) uses a hardcoded password in the WinCC software's database server as one of the mechanisms used to propagate to nearby systems. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--6b335943-c3af-430e-a135-ab09623bdc20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--2452cc82-6ee0-4a98-a213-d5e3f3247e07", "created": "2023-09-28T20:25:47.357Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:34.622Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -32447,7 +36150,6 @@ "id": "relationship--245c8c36-28e5-4508-a585-7768cb33299a", "created": "2023-03-10T20:06:10.209Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Marshall Abrams July 2008", @@ -32469,15 +36171,31 @@ }, { "type": "relationship", - "id": "relationship--24793eaf-f0d8-4baf-ba3d-900b87cf464d", - "created": "2024-04-09T21:00:24.049Z", + "id": "relationship--246ba662-bd89-4295-b603-582ebad285da", + "created": "2026-04-23T00:27:24.380Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-23T17:34:11.928Z", + "description": "Filter for protocols and payloads associated with program download activity to prevent unauthorized device configurations.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--24793eaf-f0d8-4baf-ba3d-900b87cf464d", + "created": "2024-04-09T21:00:24.049Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:01:35.080Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -32485,42 +36203,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--24885921-734f-46c1-85d7-3f79e0b886d6", - "created": "2023-09-27T14:51:18.262Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Ukraine15 - EISAC - 201603", - "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", - "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:01:35.317Z", - "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) overwrote the serial-to-ethernet gateways with custom firmware to make systems either disabled, shutdown, and/or unrecoverable. (Citation: Ukraine15 - EISAC - 201603)", - "relationship_type": "uses", - "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--24d17e8f-0c0f-41d1-aa83-8b69b8d30be5", "created": "2023-09-29T17:07:55.738Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:35.532Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", @@ -32533,12 +36224,10 @@ "id": "relationship--24e1f6cf-44c3-4a3f-9839-5cd6398cc0fe", "created": "2023-09-28T20:10:06.838Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:35.763Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -32551,12 +36240,10 @@ "id": "relationship--250212f0-a149-4a14-af83-94f7fcedc021", "created": "2023-09-28T20:26:29.934Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:35.960Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -32566,15 +36253,30 @@ }, { "type": "relationship", - "id": "relationship--25281488-be20-4d83-89d1-1da7ea836037", - "created": "2023-09-29T17:40:47.898Z", + "id": "relationship--25095116-7b71-4a6d-8a98-b60adff61372", + "created": "2026-04-22T22:57:07.320Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T22:57:07.320Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--527668a3-cc0c-48c2-856a-a45615817366", + "target_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--25281488-be20-4d83-89d1-1da7ea836037", + "created": "2023-09-29T17:40:47.898Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:01:36.185Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -32587,7 +36289,6 @@ "id": "relationship--25ddb2e0-b945-45d2-a8a9-6e6d5c4401d3", "created": "2023-03-30T18:57:21.754Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Kevin Savage and Branko Spasojevic", @@ -32612,7 +36313,6 @@ "id": "relationship--25e7ca82-2784-433a-90a9-a3483615a655", "created": "2019-04-12T17:01:01.255Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "FireEye WannaCry 2017", @@ -32627,7 +36327,7 @@ { "source_name": "FireEye APT38 Oct 2018", "description": "FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024.", - "url": "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf" + "url": "https://services.google.com/fh/files/misc/apt38-un-usual-suspects.pdf" }, { "source_name": "LogRhythm WannaCry", @@ -32638,21 +36338,20 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T22:03:05.097Z", + "modified": "2025-11-13T19:21:05.136Z", "description": "(Citation: FireEye APT38 Oct 2018)(Citation: LogRhythm WannaCry)(Citation: FireEye WannaCry 2017)(Citation: SecureWorks WannaCry Analysis)", "relationship_type": "uses", "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--268b9429-b1c6-4bc3-84cf-8512e8ef57a7", "created": "2023-03-10T20:34:25.450Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Marshall Abrams July 2008", @@ -32681,7 +36380,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--47c6f72c-1f2f-4ea8-94d0-08202b7d5bdb", "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", @@ -32694,7 +36392,6 @@ "id": "relationship--26d68f5d-6ee5-4d98-b175-943366ccc038", "created": "2020-10-14T21:33:27.046Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos October 2018", @@ -32714,24 +36411,6 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--26e58427-a2bd-4e77-9939-16ef60a072e7", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:01:37.528Z", - "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--26fdd07e-d194-4f8e-a9af-d5b2f1d0222e", @@ -32761,7 +36440,6 @@ "id": "relationship--274994e7-1fe9-463a-9979-46c72107bf9b", "created": "2023-03-30T18:56:47.685Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "ESET", @@ -32805,12 +36483,79 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--278cf882-835f-4e65-a8fc-bb8956dcbea0", + "created": "2025-09-29T19:47:53.277Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-09-29T19:47:53.277Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--27cac33f-cb57-45ff-8312-5ebac2e22396", + "created": "2026-04-22T17:50:24.743Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T17:50:24.743Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--354ca909-b54d-4c41-b597-9c296b344a43", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--27f87692-30c1-4693-b209-fdc78382badd", + "created": "2023-09-28T20:17:07.288Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:03:42.230Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--282731bc-968f-432a-937a-0343f3a8ba35", + "created": "2026-04-22T22:32:58.268Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:32:58.268Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--2867f491-919b-463f-b689-bb3ceb7ae99f", "created": "2022-09-28T20:31:07.486Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos-Pipedream", @@ -32845,12 +36590,10 @@ "id": "relationship--287b247f-8ec3-4d8d-a521-050ac8c791ad", "created": "2023-09-29T18:05:32.443Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:38.580Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -32863,7 +36606,6 @@ "id": "relationship--28afd84d-a53e-4b2f-9bee-133f7da6982a", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", @@ -32885,15 +36627,66 @@ }, { "type": "relationship", - "id": "relationship--28e89bca-04a2-462f-9d84-d5dc4d55d98e", - "created": "2023-09-28T21:26:47.115Z", + "id": "relationship--28b06a92-2933-49f5-887e-c09cf1bb861f", + "created": "2026-04-22T22:52:28.627Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-23T17:18:25.444Z", + "description": "Implement network allowlists to minimize network access to only authorized hosts.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--28bb99c4-ac44-406c-bd5d-cabb273363fb", + "created": "2026-04-23T00:28:35.816Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:38:38.883Z", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--28d4feb4-7a87-4376-8401-d579f830472b", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--4ea060f9-f6fc-4122-9544-70afd567ea10", + "target_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--28e89bca-04a2-462f-9d84-d5dc4d55d98e", + "created": "2023-09-28T21:26:47.115Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:01:39.000Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -32903,15 +36696,30 @@ }, { "type": "relationship", - "id": "relationship--296375b0-817d-4f42-afe1-4308f5edf973", - "created": "2023-09-28T21:10:25.193Z", + "id": "relationship--29397fec-dc16-4407-81a2-9e53cc082570", + "created": "2026-04-22T13:29:48.617Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T13:29:48.617Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--296375b0-817d-4f42-afe1-4308f5edf973", + "created": "2023-09-28T21:10:25.193Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:01:39.198Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -32936,34 +36744,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--299b13fd-255a-416e-a845-5aa87745d693", - "created": "2025-09-29T19:51:44.664Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-09-29T19:51:44.665Z", - "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", - "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.3.0" - }, { "type": "relationship", "id": "relationship--29c2757d-c5f6-4c8d-bbdd-3629cb14dd81", "created": "2023-09-29T18:46:39.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:39.889Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -32976,7 +36765,6 @@ "id": "relationship--29ebbcee-3c41-42e1-8a3e-1c6678ca5ece", "created": "2025-09-29T19:46:51.576Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -32993,12 +36781,10 @@ "id": "relationship--2a451896-81aa-4eed-a444-4d04661adeeb", "created": "2023-09-29T16:43:42.911Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:40.097Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -33011,12 +36797,10 @@ "id": "relationship--2aaa6840-47fc-455c-9b19-1d27c3afccbe", "created": "2023-09-28T19:38:46.361Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:40.314Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -33024,6 +36808,23 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--2ad5f781-1f7c-4bb9-984a-9299a307132f", + "created": "2026-04-22T16:40:40.952Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:40:40.952Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566", @@ -33046,12 +36847,10 @@ "id": "relationship--2b7d57d7-3802-4b59-99c6-1e1597fe78d1", "created": "2023-09-29T18:46:54.684Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:40.766Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -33068,7 +36867,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--ffeac6e1-798f-41b1-8baf-2650d2ebe031", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", @@ -33078,35 +36876,34 @@ }, { "type": "relationship", - "id": "relationship--2c79920a-f2d1-4114-a1df-924835da645c", - "created": "2023-09-28T19:53:00.672Z", + "id": "relationship--2c6c4752-536e-4b96-86d7-7efe88350082", + "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:01:40.983Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", - "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "modified": "2026-04-23T15:26:14.965Z", + "description": "Provide an alternative method for sending critical command messages to outstations, this could include using radio/cell communication to send messages to a field technician that physically performs the control function.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", - "id": "relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46", - "created": "2020-09-21T17:59:24.739Z", + "id": "relationship--2c79920a-f2d1-4114-a1df-924835da645c", + "created": "2023-09-28T19:53:00.672Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:25:00.291Z", - "description": "Provide an alternative method for sending critical report messages to operators, this could include using radio/cell communication to obtain messages from field technicians that can locally obtain telemetry and status data.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "modified": "2025-04-16T23:01:40.983Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" @@ -33137,15 +36934,30 @@ }, { "type": "relationship", - "id": "relationship--2d0bed1d-342b-44a0-aec8-e6d7c6596fa2", - "created": "2023-09-29T16:33:12.887Z", + "id": "relationship--2ce3d5d3-6575-4b4c-a67c-64fb31974540", + "created": "2023-09-28T21:16:44.471Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-04-16T23:01:48.301Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--2d0bed1d-342b-44a0-aec8-e6d7c6596fa2", + "created": "2023-09-29T16:33:12.887Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:01:41.964Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -33153,6 +36965,71 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--2d17672c-ceaf-4fbb-8f3e-a00996b240c8", + "created": "2026-04-22T20:26:56.868Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + }, + { + "source_name": "Dragos ELECTRUM JAN 2026", + "description": "https://5943619.hs-sites.com/hubfs/Reports/dragos-2025-poland-attack-report.pdf. (2026, January). ELECTRUM: CYBER ATTACK ON POLAND\u2019S ELECTRIC SYSTEM 2025. Retrieved April 22, 2026.", + "url": "https://5943619.hs-sites.com/hubfs/Reports/dragos-2025-poland-attack-report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:43:53.991Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries wiped devices and also damaged Mikronika RTUs, Hitachi Relion Protection and Control Relays (IEDs), and HMI workstations resulting in a loss of communications and view between the facility and the distribution system operators (DSO).(Citation: CERT Polska)(Citation: Dragos ELECTRUM JAN 2026)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--2d312430-66d1-4549-a5f9-47abc2730e43", + "created": "2023-09-29T16:46:12.472Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:04:30.059Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--2d621264-4a6d-4bc7-abaf-89a89c2ef813", + "created": "2026-04-22T16:03:38.326Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:51:51.532Z", + "description": "Devices should verify that firmware has been properly signed by the vendor before allowing installation.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca", @@ -33175,12 +37052,10 @@ "id": "relationship--2dc39956-05d1-4dd5-86db-cb70568d73fe", "created": "2023-09-29T17:39:15.857Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:42.621Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -33190,15 +37065,56 @@ }, { "type": "relationship", - "id": "relationship--2e32e0fd-24cf-4a41-b56d-98ada9f1db8a", - "created": "2023-09-28T19:40:51.425Z", + "id": "relationship--2dd1d205-55e4-4226-9221-5839f2268e57", + "created": "2026-04-22T20:24:29.733Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:24:29.733Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries corrupted the firmware in the Hitachi RTUs resulting in a fault that triggered a reboot loop.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--2de38f5e-b97c-498a-a4c9-f13e5d2d233c", + "created": "2023-03-22T15:53:59.953Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-04-16T23:00:57.527Z", + "description": "Devices and programs that receive command messages from remote systems (e.g., control servers) should verify those commands before taking any actions on them.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--2e32e0fd-24cf-4a41-b56d-98ada9f1db8a", + "created": "2023-09-28T19:40:51.425Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:01:43.048Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -33235,6 +37151,23 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--2e9a021d-6dbe-4ee5-a98b-041bb13d2836", + "created": "2026-04-22T16:38:10.305Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:38:10.305Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--2ecc567f-3aaa-4bd8-935f-4808d177a552", @@ -33264,12 +37197,10 @@ "id": "relationship--2ecf9476-b546-44ff-8547-4ca56cf7eeb8", "created": "2023-09-28T20:02:05.365Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:43.954Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -33282,7 +37213,6 @@ "id": "relationship--2f0d1a71-7cb6-4979-b072-a859d117d47f", "created": "2023-09-27T14:47:29.337Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", @@ -33307,17 +37237,40 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--2f15fa70-7e2d-4ef3-9654-0404e71ac343", + "created": "2022-09-28T21:18:55.279Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CISA-AA22-103A", + "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:01:19.765Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can send custom Modbus commands to write register values on Schneider PLCs.(Citation: CISA-AA22-103A) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can send write tag values on OPC UA servers.(Citation: CISA-AA22-103A) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--2f457bef-1721-4e0f-b236-24e4652a31b4", "created": "2023-09-29T16:29:53.181Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:44.422Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -33371,12 +37324,10 @@ "id": "relationship--2f7c49a0-89fe-4d18-915c-c321868d47bd", "created": "2024-04-09T21:02:56.157Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:45.125Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -33386,15 +37337,31 @@ }, { "type": "relationship", - "id": "relationship--2f9c25af-d2e2-4793-85bf-6e2696384a50", - "created": "2023-09-28T20:30:21.865Z", + "id": "relationship--2f8c9deb-aefe-4fa3-b00c-ec15fd154233", + "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-04-28T15:25:20.807Z", + "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--2f9c25af-d2e2-4793-85bf-6e2696384a50", + "created": "2023-09-28T20:30:21.865Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:01:45.376Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -33431,7 +37398,6 @@ "id": "relationship--2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", @@ -33451,17 +37417,31 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--2fd35996-196f-4a58-9dab-07f52c74f4d3", + "created": "2026-04-20T20:54:17.065Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:17.065Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", + "target_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--2fd8a76f-4663-4251-a16d-e1f105a854f9", "created": "2023-09-28T19:43:28.167Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:46.041Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -33469,24 +37449,6 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--2fe222c4-cc81-473d-956e-235e2961a5c3", - "created": "2023-09-29T17:04:26.769Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:01:46.267Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--2ff351dc-5b86-4a5b-b0f0-7ac1af8f891f", @@ -33496,7 +37458,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--336b9423-5543-4354-bd00-13c614ccdc96", "target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", @@ -33540,17 +37501,35 @@ }, { "type": "relationship", - "id": "relationship--302eb257-cd1f-468e-a9f2-3229a7737bb1", - "created": "2025-10-21T15:10:28.402Z", + "id": "relationship--3003564d-fb12-4509-946b-818e4e5b8431", + "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T15:10:28.402Z", - "description": "", - "relationship_type": "detects", - "source_ref": "x-mitre-detection-strategy--4ea060f9-f6fc-4122-9544-70afd567ea10", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "modified": "2025-04-28T15:26:43.150Z", + "description": "Devices should authenticate all messages between master and outstation assets.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--30227ffe-9019-4fed-9ee2-e4cfba77e3ec", + "created": "2026-04-22T20:42:19.762Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:42:19.762Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" @@ -33560,12 +37539,10 @@ "id": "relationship--305866af-1f36-49e0-a57d-d5faaf29011c", "created": "2023-09-28T20:34:52.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:46.946Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -33573,12 +37550,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--3066ddc9-b4e8-41b6-a28f-9de5030cb714", + "created": "2026-04-22T15:56:30.348Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T15:56:30.348Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--73773bb8-c63b-4d48-9b48-33440f12a514", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--309e4558-e591-4d03-9bb9-07d30acf011f", "created": "2021-04-12T18:49:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "McAfee Labs October 2019", @@ -33607,7 +37600,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--c94af5cb-61c3-4180-81e7-30c1669f4252", "target_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", @@ -33615,12 +37607,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--316110bc-9b4c-41e4-96eb-d8051a4fda6c", + "created": "2023-09-28T20:16:05.975Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:02:47.650Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--317ce6a3-7767-4be3-a201-004368f1b2ec", "created": "2025-09-29T19:53:08.323Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -33637,7 +37645,6 @@ "id": "relationship--31897c41-1d47-4a34-b531-21c3f74651a8", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", @@ -33657,12 +37664,29 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--31b8d0d3-2e81-4367-80c0-1173988e77d7", + "created": "2026-04-23T00:04:58.358Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:33:04.080Z", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--31bf1721-78a2-4b6c-b325-5c44dc02ea33", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Eduard Kovacs March 2018", @@ -33687,24 +37711,6 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--31d7e048-92fc-4b63-b0d5-28b64b39797a", - "created": "2023-10-02T20:18:11.933Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:01:48.055Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", - "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--31e67caf-6b34-4651-96fc-5b97609c843a", @@ -33714,7 +37720,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--ad675d25-2829-48e5-8475-28f1ed5d813a", "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", @@ -33722,24 +37727,6 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, - { - "type": "relationship", - "id": "relationship--3212de2a-6635-4b95-aeb4-9c0744aed2ce", - "created": "2023-09-28T21:16:44.471Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:01:48.301Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", - "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--321dfef3-01bf-40ee-901e-6354b945c31a", @@ -33749,7 +37736,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--b6a6d95c-e3b5-438d-a095-3fb0859c8f45", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", @@ -33757,34 +37743,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, - { - "type": "relationship", - "id": "relationship--322690b0-eb2a-42a4-a072-3241f7b78033", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "description": "", - "relationship_type": "detects", - "source_ref": "x-mitre-detection-strategy--05f7d4e4-ae99-4339-b71a-59f1e317dc6d", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.3.0" - }, { "type": "relationship", "id": "relationship--32438a90-406c-40f7-a5ac-a1ca92cd51d5", "created": "2023-09-28T20:26:15.542Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:48.778Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -33797,7 +37764,6 @@ "id": "relationship--327916f7-fe5d-4858-adeb-f72f74c60c25", "created": "2021-10-08T15:25:32.143Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", @@ -33822,12 +37788,10 @@ "id": "relationship--327f65bc-8a33-4dbb-88d4-714a9e42442b", "created": "2023-09-28T21:21:07.833Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:49.213Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -33837,15 +37801,30 @@ }, { "type": "relationship", - "id": "relationship--32bcf2cf-3311-4ef1-9bf4-4bfe14832b3b", - "created": "2023-09-28T20:10:23.215Z", + "id": "relationship--32b2bb93-7ddc-4f96-8bfd-2534309a9d75", + "created": "2023-09-29T17:45:55.581Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-04-16T23:04:19.116Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--32bcf2cf-3311-4ef1-9bf4-4bfe14832b3b", + "created": "2023-09-28T20:10:23.215Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:01:49.426Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -33858,12 +37837,10 @@ "id": "relationship--32d15d1a-04ba-4035-907a-e2871425e8d1", "created": "2023-09-28T20:28:40.722Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:49.640Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -33893,12 +37870,10 @@ "id": "relationship--3334e647-fd5d-481d-a7f9-66f73911a57a", "created": "2023-09-28T19:45:30.291Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:50.097Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -33906,29 +37881,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-28T15:25:05.720Z", - "description": "Review vendor documents and security alerts for potentially unknown or overlooked default credentials within existing devices\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", - "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--337f366d-3d76-470c-8ee2-0e2252648282", "created": "2024-03-25T20:19:43.390Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -33943,46 +37900,43 @@ }, { "type": "relationship", - "id": "relationship--33bc3e6f-e8cb-40ea-8088-3de39e2490a7", - "created": "2023-09-29T16:47:08.696Z", + "id": "relationship--33974565-1d55-445f-9f6f-983707000cf4", + "created": "2026-04-22T22:50:10.723Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:01:50.768Z", - "description": "", + "modified": "2026-04-22T22:50:10.723Z", "relationship_type": "targets", - "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", - "id": "relationship--33e33c74-2f17-4bac-bbba-bf4f2a2035e5", - "created": "2023-09-29T18:07:41.540Z", + "id": "relationship--33b1b49f-012d-4af3-835a-32d8c75b9e1b", + "created": "2026-04-22T20:38:11.633Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:01:51.006Z", - "description": "", + "modified": "2026-04-22T20:38:11.633Z", "relationship_type": "targets", - "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--3412e6dd-6adb-4c91-a5d8-c4f68dd362d5", "created": "2025-09-24T18:21:00.372Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -33999,7 +37953,6 @@ "id": "relationship--34535779-9957-4766-a7fc-e8d4dbfb5eee", "created": "2025-09-24T17:57:06.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -34013,15 +37966,30 @@ }, { "type": "relationship", - "id": "relationship--3471632d-253d-469e-9e8c-3b291b4ae88a", - "created": "2023-09-28T21:14:15.274Z", + "id": "relationship--345e698d-8302-4e84-9c5b-c3b78972c0e1", + "created": "2026-04-22T13:54:38.311Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T13:54:38.311Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--3471632d-253d-469e-9e8c-3b291b4ae88a", + "created": "2023-09-28T21:14:15.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:01:51.437Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -34053,6 +38021,22 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--3484426b-33b6-4f9b-9b62-3dd114794848", + "created": "2026-04-20T20:58:46.793Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:58:46.793Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--34ac1b1b-1103-4fc9-a62e-f1dd1451b28b", @@ -34077,6 +38061,23 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--34cacc74-a461-4ed9-a683-952cbeea6e1d", + "created": "2026-04-23T00:36:39.544Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:36:39.544Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033", @@ -34094,12 +38095,51 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--34dcc9e8-a43a-475b-81b6-b15240545075", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + }, + { + "source_name": "Dwight Anderson 2014", + "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" + }, + { + "source_name": "Karen Scarfone; Paul Hoffman September 2009", + "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", + "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" + }, + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:02:59.357Z", + "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment.(Citation: Karen Scarfone; Paul Hoffman September 2009)(Citation: Keith Stouffer May 2015)(Citation: Department of Homeland Security September 2016)(Citation: Dwight Anderson 2014) \n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--350814da-5c36-42f9-8e58-8f9534e6ce0a", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "FireEye TRITON", @@ -34124,42 +38164,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--351e19c4-c16e-493a-9800-a433107aacf1", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "DHS CISA February 2019", - "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", - "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:01:52.519Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502. (Citation: DHS CISA February 2019)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--3526acc8-8834-4aaa-87a5-51e587360cf5", "created": "2023-09-29T18:45:47.394Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:52.764Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -34172,7 +38185,6 @@ "id": "relationship--352ed52c-88ba-4731-a917-4c33da0f29d4", "created": "2023-09-27T14:44:00.588Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Andy Greenberg June 2017", @@ -34197,7 +38209,6 @@ "id": "relationship--35cf6922-d48f-42ea-b7f5-f0258892bd52", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -34215,7 +38226,6 @@ "id": "relationship--35d3a730-4de6-4406-a025-ad29340985c2", "created": "2025-09-24T18:21:48.981Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -34232,7 +38242,6 @@ "id": "relationship--3618a010-b94b-4974-b1be-7630d5c853c1", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Robert Falcone, Bryan Lee May 2016", @@ -34252,12 +38261,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--3623e266-6de4-4165-b0fb-e9abf0813e5d", + "created": "2026-04-22T22:31:00.015Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:31:00.015Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--3666c249-26c8-4aad-8dc7-5d07253b1c5c", "created": "2025-09-29T19:07:15.758Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -34288,15 +38313,31 @@ }, { "type": "relationship", - "id": "relationship--368558ce-e8a6-4375-b54f-47c2ab31e38d", - "created": "2023-09-28T20:29:27.153Z", + "id": "relationship--3680ab7a-254b-426c-b417-460712c2f357", + "created": "2026-04-22T20:43:20.666Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-23T16:43:29.753Z", + "description": "Ensure proper network segmentation is followed to protect critical servers and devices.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--368558ce-e8a6-4375-b54f-47c2ab31e38d", + "created": "2023-09-28T20:29:27.153Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:01:54.072Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -34309,12 +38350,10 @@ "id": "relationship--37048032-b41d-47d8-9c73-7b706bef24d1", "created": "2023-09-28T20:27:58.625Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:54.320Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -34327,7 +38366,6 @@ "id": "relationship--371fe079-430d-46dc-ad31-a53838fc6c24", "created": "2025-09-29T19:06:13.410Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -34344,12 +38382,10 @@ "id": "relationship--372c2e72-d56a-4501-a3bc-31b6b0c8d0be", "created": "2023-09-28T21:13:36.185Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:54.521Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -34362,12 +38398,10 @@ "id": "relationship--3731962f-64e7-4750-ac8b-40b97eef8725", "created": "2023-09-29T16:41:15.943Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:54.729Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -34380,7 +38414,6 @@ "id": "relationship--373627f1-5e68-45ab-b1ac-c063d9585a3e", "created": "2025-09-24T17:56:56.872Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -34397,12 +38430,10 @@ "id": "relationship--374837a0-6109-4c95-bee6-893b25ac71cf", "created": "2023-09-28T21:13:12.715Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:54.931Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -34415,7 +38446,6 @@ "id": "relationship--37754ab4-03de-475b-8eb2-4ac3fad63852", "created": "2025-09-29T19:06:24.302Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -34432,12 +38462,10 @@ "id": "relationship--37aeaf27-6bbe-4949-ba77-37649e38f8b2", "created": "2023-09-29T16:31:46.749Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:55.587Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -34447,27 +38475,76 @@ }, { "type": "relationship", - "id": "relationship--37f69c20-9158-4091-88dd-fc42b85de265", - "created": "2025-09-24T18:20:10.625Z", + "id": "relationship--37e1b5d8-c800-4eee-9348-e183cc62d385", + "created": "2023-09-28T21:09:33.225Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-09-24T18:20:10.625Z", + "modified": "2025-04-16T23:03:10.979Z", "relationship_type": "targets", - "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "target_ref": "x-mitre-asset--bb141168-ae41-4974-8ece-dc9b63e59237", + "source_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--37f0a727-5b6a-4acc-83fc-e2c13f5acc39", + "created": "2026-04-22T22:50:35.824Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:50:35.824Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--380ef144-1443-4df1-b7de-a6ed3d66d573", + "created": "2026-04-22T13:28:38.829Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T13:28:38.829Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--3838eb1c-488a-4e73-bc3d-e25cacd6926d", + "created": "2026-04-20T20:58:37.797Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:58:37.797Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "target_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--383e242a-72d4-4b40-8905-888595c34919", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Kelly Jackson Higgins", @@ -34492,12 +38569,10 @@ "id": "relationship--3843dcca-62a2-4224-9241-05f981fa880a", "created": "2023-09-28T19:46:23.921Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:56.034Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -34505,17 +38580,40 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--387a9ace-17bd-484b-8d54-d3bbc1304c90", + "created": "2026-04-22T20:08:53.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T01:12:18.402Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used Advanced Port Scanner and Advanced IP Scanner to conduct remote system discovery activities.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--38bda770-c470-4358-a9ad-a5b39bec026b", "created": "2023-09-29T16:28:28.550Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:56.485Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -34528,7 +38626,6 @@ "id": "relationship--393983b0-aeb0-4cc0-ae77-8180fe9f8f87", "created": "2025-09-24T18:04:47.207Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -34545,12 +38642,10 @@ "id": "relationship--39452123-574f-4f3a-95ec-a90170a3d7eb", "created": "2023-10-02T20:20:44.850Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:56.704Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", @@ -34563,12 +38658,10 @@ "id": "relationship--399126a9-815d-4c3b-9d5e-f57d698ac742", "created": "2023-09-28T19:40:36.023Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:56.917Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -34578,15 +38671,31 @@ }, { "type": "relationship", - "id": "relationship--39e5a489-f557-4130-a285-e0a82f40685c", - "created": "2023-09-28T19:46:38.112Z", + "id": "relationship--39dcfc44-5f18-475f-b431-22032a14cbe5", + "created": "2026-04-22T22:52:48.727Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-23T17:17:42.859Z", + "description": "Segment operational networks to isolate critical systems and devices that do not require broad network access.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--39e5a489-f557-4130-a285-e0a82f40685c", + "created": "2023-09-28T19:46:38.112Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:01:57.345Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -34599,12 +38708,10 @@ "id": "relationship--39f785a8-4175-4d3c-ba64-e20ad4bc2584", "created": "2023-09-28T19:40:21.763Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:57.561Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -34617,7 +38724,6 @@ "id": "relationship--3a04717f-b74c-4096-b031-ee7115fdc3c9", "created": "2024-03-28T14:29:30.576Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "FireEye TRITON Dec 2017", @@ -34642,12 +38748,10 @@ "id": "relationship--3a20ed21-5e69-4a16-a0e3-bace3eba9974", "created": "2023-09-29T18:56:47.109Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:58.066Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", @@ -34660,7 +38764,6 @@ "id": "relationship--3a6cd53d-0d4e-4cf8-8edf-f9ebde4faac4", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -34678,12 +38781,10 @@ "id": "relationship--3a76a181-8706-4bc4-9c66-7e809fec44ca", "created": "2023-09-28T19:44:37.687Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:58.486Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -34696,7 +38797,6 @@ "id": "relationship--3a7d1db3-9383-4171-8938-382e9b0375c6", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", @@ -34725,7 +38825,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--67c2be08-d31a-4385-a637-9d1a907c7a26", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", @@ -34738,7 +38837,6 @@ "id": "relationship--3a9fc435-30b7-4684-a874-026c129aaa79", "created": "2025-09-24T17:54:22.945Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -34755,12 +38853,10 @@ "id": "relationship--3aa2691d-d88d-4467-ae3e-242b3bac22ea", "created": "2023-09-28T21:15:18.036Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:58.913Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -34794,15 +38890,30 @@ }, { "type": "relationship", - "id": "relationship--3ad966be-8cb2-42e6-b696-ef9e3b512e35", - "created": "2023-09-28T19:43:15.817Z", + "id": "relationship--3abaee7a-5d15-4364-9c74-775865a404b4", + "created": "2026-04-22T20:24:57.226Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T20:24:57.226Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--3ad966be-8cb2-42e6-b696-ef9e3b512e35", + "created": "2023-09-28T19:43:15.817Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:01:59.605Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -34810,12 +38921,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--3afa12ce-4380-4e66-aa1d-4da20ac9023b", + "created": "2026-04-22T22:49:32.456Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:49:32.456Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--3b6567a9-6213-4db4-a069-1a86b1098b63", "created": "2021-04-13T12:08:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Microsoft Security Response Center August 2017", @@ -34845,12 +38972,10 @@ "id": "relationship--3b7f39cb-0101-49b0-ab02-a5adb1672688", "created": "2023-09-28T19:53:33.603Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:00.098Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -34860,15 +38985,31 @@ }, { "type": "relationship", - "id": "relationship--3bc61c8f-3d04-40bd-8239-a15913056bb2", - "created": "2023-10-02T20:22:15.907Z", + "id": "relationship--3b9a4916-78b9-44b3-b0fc-6f167a918d7d", + "created": "2026-04-23T00:40:03.895Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-23T17:35:36.183Z", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--3bc61c8f-3d04-40bd-8239-a15913056bb2", + "created": "2023-10-02T20:22:15.907Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:02:00.330Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", @@ -34881,7 +39022,6 @@ "id": "relationship--3be8045a-1f0d-4460-a76b-ae830e74c1e0", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", @@ -34901,46 +39041,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-28T15:25:11.687Z", - "description": "Devices should verify that firmware has been properly signed by the vendor before allowing installation.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, - { - "type": "relationship", - "id": "relationship--3c182910-aaa9-4565-991d-55c1857a7fba", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "description": "", - "relationship_type": "detects", - "source_ref": "x-mitre-detection-strategy--09f46edf-33f9-4c23-af2f-74864c27f616", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.3.0" - }, { "type": "relationship", "id": "relationship--3c2d1b8a-d092-4a71-a0d4-dc5abff338bc", "created": "2025-09-24T18:23:15.201Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -34957,7 +39062,6 @@ "id": "relationship--3ce078ca-dad7-477a-8178-f0daf7ee823b", "created": "2025-09-24T18:18:30.255Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -34969,12 +39073,29 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--3cf99739-b045-4a83-985d-e9984076b81d", + "created": "2026-04-23T00:04:07.892Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:31:16.927Z", + "description": "ll field controllers should restrict the download of programs, including online edits and program appends, to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a", "created": "2021-04-13T12:45:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", @@ -34999,12 +39120,10 @@ "id": "relationship--3d3c5d24-be5c-42e8-98ca-3b04382df39a", "created": "2023-09-28T21:26:11.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:02.154Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -35031,27 +39150,26 @@ }, { "type": "relationship", - "id": "relationship--3da977ab-c863-4e6f-a5b7-68173160da00", - "created": "2020-09-21T17:59:24.739Z", + "id": "relationship--3d991288-1770-4211-83dc-441ef9944e0f", + "created": "2026-04-22T18:56:11.575Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:25:12.890Z", - "description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "modified": "2026-04-22T18:56:11.575Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--3db8d8d2-89bb-4241-afeb-9b9332aac78e", "created": "2024-03-28T14:31:06.217Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "FireEye TEMP.Veles 2018", @@ -35076,12 +39194,10 @@ "id": "relationship--3dd15958-b159-4d01-b3c2-37bdf9b417b5", "created": "2023-09-29T17:05:08.346Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:03.473Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", @@ -35094,12 +39210,10 @@ "id": "relationship--3dd35c9a-146d-4370-80ac-69fed35d81a1", "created": "2023-09-29T16:44:16.391Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:03.720Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -35107,53 +39221,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--3dde2b07-7c30-4a18-a9df-f85db84f9b14", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-28T15:25:13.443Z", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, - { - "type": "relationship", - "id": "relationship--3e015dd2-eff3-4955-ba74-388266518579", - "created": "2025-09-29T22:05:16.999Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-09-29T22:05:16.999Z", - "relationship_type": "targets", - "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", - "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.3.0" - }, { "type": "relationship", "id": "relationship--3e0c8afc-4c4d-40cc-bb61-f76b3fc1b013", "created": "2025-09-29T19:58:46.808Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -35167,32 +39239,65 @@ }, { "type": "relationship", - "id": "relationship--3ed98d8c-de30-499e-9a62-eae0207519f4", - "created": "2020-09-21T17:59:24.739Z", + "id": "relationship--3e1f42f9-2edf-4c32-ac1e-da726b923570", + "created": "2026-04-23T00:37:08.211Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:25:13.765Z", - "description": "Ensure embedded controls and network devices are protected through access management, as these devices often have unknown default accounts which could be used to gain unauthorized access.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "modified": "2026-04-23T00:37:08.211Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--3e249f0a-5755-4e0f-96ce-f3ce6376fed5", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-28T15:25:00.291Z", + "description": "Provide an alternative method for sending critical report messages to operators, this could include using radio/cell communication to obtain messages from field technicians that can locally obtain telemetry and status data.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--3e9093f7-6212-4b34-b22e-4ecabc27c654", + "created": "2026-04-22T22:34:50.733Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:34:50.733Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--3f07067f-0cbc-489c-8722-a33399ebd4f9", "created": "2023-09-29T17:39:42.457Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:04.618Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -35205,7 +39310,6 @@ "id": "relationship--3f261739-b6ec-4a86-94a3-146929f9facf", "created": "2024-11-20T23:28:20.295Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos FROSTYGOOP 2024", @@ -35247,7 +39351,6 @@ "id": "relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell December 2015", @@ -35269,15 +39372,30 @@ }, { "type": "relationship", - "id": "relationship--3f92c11b-f6e2-4c07-9913-9fa7469ba4fe", - "created": "2023-09-28T21:17:18.201Z", + "id": "relationship--3f9093f6-fb01-45e0-924f-a71a536336b2", + "created": "2023-09-29T18:06:35.470Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-04-16T23:05:02.821Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--3f92c11b-f6e2-4c07-9913-9fa7469ba4fe", + "created": "2023-09-28T21:17:18.201Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:02:05.764Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -35287,40 +39405,30 @@ }, { "type": "relationship", - "id": "relationship--3fb86696-1d56-42d5-a73d-044a78b588fe", - "created": "2023-09-27T14:54:12.586Z", + "id": "relationship--3f9f3845-33a9-488a-afd7-8db1bb53fe88", + "created": "2023-09-28T19:39:25.832Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, - "external_references": [ - { - "source_name": "Booz Allen Hamilton", - "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.", - "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:02:05.999Z", - "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) overwrote the serial-to-ethernet converter firmware, rendering the devices not operational. This meant that communication to the downstream serial devices was either not possible or more difficult. (Citation: Booz Allen Hamilton)", - "relationship_type": "uses", - "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "modified": "2025-04-16T23:02:52.150Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--3fe69c6d-6722-44ad-bab7-e34981d68daa", "created": "2023-09-28T20:27:43.727Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:06.232Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -35333,12 +39441,10 @@ "id": "relationship--4011b9e8-317f-40b9-bd3c-3fb1e99c6542", "created": "2023-09-29T18:57:32.665Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:06.451Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", @@ -35346,12 +39452,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--40477010-e2db-4e4d-8896-6e401a89ac03", + "created": "2023-09-29T16:28:39.397Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:04:33.039Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--40479f3e-d4d2-45f8-893f-f8a4fcf1613c", "created": "2022-09-28T21:16:28.195Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Wylie-22", @@ -35376,12 +39498,10 @@ "id": "relationship--4059da6f-b52b-4265-8bf9-3ad6154dbde4", "created": "2023-09-29T18:05:42.611Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:06.892Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -35389,6 +39509,23 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--4071dca7-2405-4856-8130-44cc1aadded2", + "created": "2026-04-22T20:39:47.699Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:39:47.699Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--408b2389-3280-46c6-8c94-2579b47b2340", @@ -35398,7 +39535,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--13412b71-b94e-4aef-912a-44853f8bff05", "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", @@ -35406,17 +39542,40 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--40fdaedd-04b4-42ad-8bea-a0513de65f73", + "created": "2026-04-22T20:02:08.818Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:01:18.263Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used `netstat` to enumerate network connections on the Mikronika HMI computers.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--413c1c41-6ef9-413b-a75a-e67f1668b3db", "created": "2023-09-29T17:04:46.290Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:07.332Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", @@ -35424,12 +39583,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--413d5a01-4e80-4d8a-a9ad-9d90792b852a", + "created": "2026-04-22T16:10:04.096Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:10:04.096Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--415b3d09-f30e-4f25-8cae-bbe7fef80275", "created": "2025-09-24T18:19:25.233Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -35441,17 +39616,40 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--41856149-91d5-4815-b50f-8eb371ac5ba6", + "created": "2023-03-10T20:09:49.009Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:04:33.468Z", + "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.(Citation: Marshall Abrams July 2008)", + "relationship_type": "uses", + "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--41a109dd-11d9-4840-a38b-088fc790f45a", "created": "2024-03-25T20:17:27.552Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:07.563Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -35459,6 +39657,31 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--41abc220-4ec6-41cc-bb36-37c43341fc41", + "created": "2026-04-22T16:07:47.332Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:08:24.985Z", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.(Citation: Department of Homeland Security September 2016)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a", @@ -35476,34 +39699,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-28T15:25:15.857Z", - "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--41dbf626-b968-4b51-9f7d-aaea14d39b4d", "created": "2023-09-28T19:58:43.542Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:08.191Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -35533,7 +39737,6 @@ "id": "relationship--423271c0-04dc-42d0-8e27-fb0b6067e096", "created": "2023-09-27T14:59:43.382Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", @@ -35563,6 +39766,7 @@ "id": "relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "Department of Homeland Security September 2016", @@ -35573,21 +39777,20 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:25:16.596Z", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "modified": "2026-04-23T20:03:39.304Z", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.(Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--42577e40-8a29-461b-aeb6-232f4b04d76a", "created": "2025-09-24T17:55:49.673Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -35618,15 +39821,30 @@ }, { "type": "relationship", - "id": "relationship--432b2dc0-52ff-488f-a5e9-c1e510fc7a0b", - "created": "2023-09-28T19:58:54.450Z", + "id": "relationship--4302566f-0eee-43a2-b40d-658e7cc0a57b", + "created": "2023-09-28T19:49:25.824Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-04-16T23:03:38.068Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--432b2dc0-52ff-488f-a5e9-c1e510fc7a0b", + "created": "2023-09-28T19:58:54.450Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:02:09.477Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -35639,12 +39857,10 @@ "id": "relationship--43344cd7-5004-4dac-8b62-8899105fa265", "created": "2023-09-29T18:47:20.334Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:09.681Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -35657,7 +39873,6 @@ "id": "relationship--433539bf-cb17-4de1-9c0f-e579b041514f", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos Inc. June 2017", @@ -35699,7 +39914,6 @@ "id": "relationship--4387dbb0-8602-4485-ab55-2ed63d8b1622", "created": "2025-09-29T19:05:01.891Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -35711,29 +39925,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, - { - "type": "relationship", - "id": "relationship--43ab2ba4-4bb7-4d5d-83ad-c87ef3f05e7d", - "created": "2025-09-29T19:08:29.213Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-09-29T19:08:29.213Z", - "relationship_type": "targets", - "source_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.3.0" - }, { "type": "relationship", "id": "relationship--43ab749c-d449-4fca-a14b-0f3a991fcdcc", "created": "2025-09-24T18:15:06.489Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -35745,12 +39941,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--43aecac8-9920-4cbf-bdd0-6a204cb64942", + "created": "2026-04-22T13:26:48.062Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T13:26:48.062Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--43b11545-3b70-4284-a369-bed7a0de4fd0", "created": "2024-03-27T19:52:07.502Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Mandiant-Sandworm-Ukraine-2022", @@ -35770,29 +39982,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--43bdf580-b98f-49cf-92d5-3dac50450c86", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-28T15:25:17.653Z", - "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--43d9821c-13ba-4009-b58b-a073918b780f", "created": "2025-09-29T19:57:56.590Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -35809,7 +40003,6 @@ "id": "relationship--43e7ed35-4038-4bc3-82bb-d5ff337b368a", "created": "2025-09-24T18:23:02.137Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -35843,7 +40036,6 @@ "id": "relationship--44c857cf-7a4e-405a-87ca-7f6d79000589", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Department of Homeland Security October 2009", @@ -35872,7 +40064,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--a995ba7c-c2c2-4d74-a3da-74e5a192099b", "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", @@ -35882,33 +40073,47 @@ }, { "type": "relationship", - "id": "relationship--4508bdef-9528-47ae-804c-bc59d1e694e7", - "created": "2023-09-28T20:02:35.354Z", + "id": "relationship--44e0627e-d100-4e11-adab-4ff093e6031e", + "created": "2023-09-29T17:37:41.336Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:02:11.638Z", - "description": "", + "modified": "2025-04-16T23:04:11.313Z", "relationship_type": "targets", - "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "source_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--4560f607-106b-4546-8f58-bd45c2a5c5f8", + "created": "2026-04-22T22:36:45.186Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:36:45.186Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--456ff399-4925-45d4-aa84-d930eae5348e", "created": "2023-09-28T20:26:47.786Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:11.878Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -35921,12 +40126,10 @@ "id": "relationship--45aae58e-1d09-49de-b4c2-837c6f1d5d8f", "created": "2023-10-02T20:22:02.539Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:12.094Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", @@ -35939,12 +40142,10 @@ "id": "relationship--45d14170-7f7b-4e08-b53f-42fa4a3a04d9", "created": "2023-09-28T20:15:32.382Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:12.313Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -35993,29 +40194,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--46332a77-2fd6-4033-96cf-6163172775ec", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-28T15:25:19.555Z", - "description": "Devices should verify that firmware has been properly signed by the vendor before allowing installation.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--4653847b-c089-4435-9159-6f76353833f7", "created": "2023-09-25T20:43:22.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -36033,12 +40216,10 @@ "id": "relationship--46690df4-ddac-4ed4-8987-8706ae68a0cf", "created": "2023-09-29T16:42:20.944Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:13.639Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -36051,12 +40232,10 @@ "id": "relationship--46798892-d849-43fe-8147-b40cc9da291e", "created": "2023-09-28T19:42:29.359Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:13.854Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -36069,7 +40248,6 @@ "id": "relationship--46bc86e4-e20b-4778-80d2-8891039e6fb4", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Hydro", @@ -36099,12 +40277,10 @@ "id": "relationship--46e4cdd2-e8f0-46aa-9264-868815a05af9", "created": "2024-03-25T20:17:59.424Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:14.277Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -36117,12 +40293,10 @@ "id": "relationship--4768c731-3be9-44b8-a217-dfbececa57d9", "created": "2023-09-29T18:06:22.868Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:14.477Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -36139,7 +40313,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--6f921aa8-deb3-4286-8101-26a7cbe80c0e", "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", @@ -36156,7 +40329,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--bbb288c7-9e40-46bd-b0a1-db4cfef4e1ee", "target_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", @@ -36169,7 +40341,6 @@ "id": "relationship--47f15a06-8675-4698-833d-bd141ed9e755", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Microsoft Security Response Center August 2017", @@ -36194,52 +40365,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--483719ad-c973-4210-b059-14e87dbd45f8", - "created": "2023-09-28T19:49:43.417Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:02:15.147Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", - "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, - { - "type": "relationship", - "id": "relationship--48489baf-56c2-423e-964a-0a61688e4a19", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-28T15:25:20.807Z", - "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--484b0873-59ef-41a3-b33d-b3fb41a2c957", "created": "2024-04-09T20:50:34.946Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:15.592Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -36247,6 +40381,39 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--48e142d5-ebfe-4950-8704-409c6b92f693", + "created": "2026-04-20T20:54:22.411Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:22.411Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", + "target_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--490c0435-b918-4843-bee1-0584f8092ce4", + "created": "2026-04-23T16:34:50.702Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T16:34:50.702Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3", @@ -36269,12 +40436,10 @@ "id": "relationship--49242ea8-4813-49f7-8bd4-9668216cceeb", "created": "2023-09-29T16:45:53.300Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:16.023Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -36282,23 +40447,6 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--493e1d96-a534-4c4a-80d1-516616b0cc44", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "description": "", - "relationship_type": "detects", - "source_ref": "x-mitre-detection-strategy--d8cb1dd3-8bf2-48e7-99db-473481b823a8", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.3.0" - }, { "type": "relationship", "id": "relationship--4966e63c-ca05-466d-91f9-41d799a54471", @@ -36321,7 +40469,6 @@ "id": "relationship--497e0dbf-b36e-4c2e-9368-67553c8ba5b1", "created": "2025-09-24T18:25:02.119Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -36338,12 +40485,10 @@ "id": "relationship--4981a944-b3ad-4d78-9881-a17d458e3422", "created": "2023-09-28T20:01:30.138Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:16.504Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -36356,7 +40501,6 @@ "id": "relationship--49966e16-04a2-4fd7-86cd-aa934040a9d8", "created": "2023-03-31T17:44:19.711Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos Crashoverride 2018", @@ -36376,12 +40520,29 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--49aebf0c-e231-4cbb-84a2-97c9a6d11654", + "created": "2026-04-22T17:59:31.637Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T16:32:27.293Z", + "description": "Ensure proper network segmentation is followed to protect critical systems and devices.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--49d38b21-5ce5-48d9-a356-639fc6c7a53d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -36399,12 +40560,10 @@ "id": "relationship--4a641966-3cc8-4dd6-aa61-1a96cfff4a05", "created": "2023-09-28T19:41:47.648Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:17.384Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -36417,12 +40576,10 @@ "id": "relationship--4a7340fc-0eec-4459-a491-952d736b79ef", "created": "2023-09-28T19:50:42.505Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:17.593Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -36432,33 +40589,48 @@ }, { "type": "relationship", - "id": "relationship--4ad48410-efd9-41c0-ac59-e4343d3b9198", - "created": "2023-09-28T21:09:50.956Z", + "id": "relationship--4b353f8e-15ff-4fab-9f09-270ffb744a0f", + "created": "2026-04-22T16:09:40.257Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:02:17.814Z", - "description": "", + "modified": "2026-04-22T16:09:40.257Z", "relationship_type": "targets", - "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "source_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--4b44a657-11cc-45bc-b096-f32e58a70036", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-28T15:25:26.221Z", + "description": "Restrict unauthorized devices from accessing serial comm ports.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--4b6a964f-af5c-4ec2-a309-c1ae6b929596", "created": "2023-09-28T21:24:51.818Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:18.221Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -36471,12 +40643,10 @@ "id": "relationship--4b853b7c-bc55-4599-b88d-d08d651526c0", "created": "2023-09-29T18:49:25.209Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:18.442Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -36489,7 +40659,6 @@ "id": "relationship--4b98b72c-a093-4917-a21b-a0b4f388e98e", "created": "2023-03-31T17:45:09.659Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos Crashoverride 2018", @@ -36511,15 +40680,30 @@ }, { "type": "relationship", - "id": "relationship--4c1df272-9c2a-4647-8d05-3c0de1613e12", - "created": "2023-09-28T19:59:23.856Z", + "id": "relationship--4bcbf856-1a3f-4dcf-8e00-5e925025ffc4", + "created": "2026-04-22T20:24:18.093Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T20:24:18.093Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--4c1df272-9c2a-4647-8d05-3c0de1613e12", + "created": "2023-09-28T19:59:23.856Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:02:18.868Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -36532,12 +40716,10 @@ "id": "relationship--4c53b294-973f-4cc2-a781-6c86b8f1c962", "created": "2023-09-28T21:23:14.975Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:19.069Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -36545,12 +40727,104 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--4c5f0aeb-d4ae-4f37-9fec-ba4d844a0c21", + "created": "2026-04-22T21:48:25.479Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:48:25.479Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--c779ee07-ee85-42fe-a2c1-14ce25766cdf", + "target_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--4c6b7176-650b-448d-9d5b-28eb36bcafae", + "created": "2026-04-22T20:06:22.552Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "DHS CISA February 2019", + "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:06:22.552Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502. (Citation: DHS CISA February 2019)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--4cb8291c-f9eb-4c84-bb15-695685fd7064", + "created": "2026-04-22T21:36:57.379Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:36:57.379Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--4cc2bf97-b439-40a9-8e18-cc9daca1bab6", + "created": "2026-04-22T19:00:02.393Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T19:00:02.393Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--4cec834f-831f-46e6-9cd2-a6fdfa45d06b", + "created": "2023-09-29T17:44:19.135Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:02:54.629Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--4d163eab-7118-49c3-a4e9-d4f26d09b314", "created": "2025-09-24T18:13:02.344Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -36567,7 +40841,6 @@ "id": "relationship--4d407dda-944a-4974-b1c2-0a04d2c9ee4c", "created": "2023-09-27T13:17:12.592Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Andy Greenberg June 2017", @@ -36597,12 +40870,10 @@ "id": "relationship--4d76274d-75bc-4cd0-be6a-3d5d99f73cb7", "created": "2023-09-28T20:27:04.841Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:19.583Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -36615,12 +40886,10 @@ "id": "relationship--4d7eecfc-4dd6-470c-a604-4c8239ac2be4", "created": "2023-09-28T21:28:11.821Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:19.805Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -36633,7 +40902,6 @@ "id": "relationship--4dd93fd2-6e6d-4c50-a091-6d6ea6903f1e", "created": "2022-09-28T21:21:58.641Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Wylie-22", @@ -36653,6 +40921,40 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--4e1e6e4b-c38b-477e-8026-f12a58558484", + "created": "2026-04-20T20:58:39.169Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:58:39.169Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "target_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--4e7ec200-9a1b-46d4-9383-738903fec554", + "created": "2026-04-23T00:39:29.524Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:33:28.216Z", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--4ef202e5-b1cb-4cc4-892d-df6bf683c596", @@ -36662,7 +40964,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--5604323b-6e7a-4801-91ae-4bf591f2e3ac", "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", @@ -36675,12 +40976,10 @@ "id": "relationship--4f3a843b-18e7-46e8-8285-9102a2fe62e5", "created": "2023-09-29T18:02:38.399Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:20.229Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -36688,35 +40987,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--4f4e2e9e-6f9a-4c9c-af2b-4db4ec444c93", - "created": "2023-09-29T17:57:55.162Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:02:20.428Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", - "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--4f7cc4b9-fe3a-4883-97cc-4d2a44c55be9", "created": "2023-09-28T20:09:53.108Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:20.630Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -36729,7 +41008,6 @@ "id": "relationship--4f83cc15-274d-44c6-859f-e598e362e76e", "created": "2023-09-27T14:55:55.381Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Ukraine15 - EISAC - 201603", @@ -36749,12 +41027,27 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--4fde32fb-56b6-458b-92ac-55f81bc91783", + "created": "2026-04-20T20:54:26.012Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:26.012Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--4fde6641-ad83-4b23-b51c-97fe7bdc558c", "created": "2025-09-24T18:14:52.305Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -36792,15 +41085,30 @@ }, { "type": "relationship", - "id": "relationship--503c5256-b611-437e-a4ef-2ee1fd20ab29", - "created": "2023-09-29T18:03:06.209Z", + "id": "relationship--50324c5f-50e9-4d81-a8ba-a076827259a0", + "created": "2026-04-22T20:25:20.492Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T20:25:20.492Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--503c5256-b611-437e-a4ef-2ee1fd20ab29", + "created": "2023-09-29T18:03:06.209Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:02:21.314Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -36837,6 +41145,48 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--504f74ff-ce0c-4e2d-840a-79c17ba2cbce", + "created": "2026-04-22T20:40:31.895Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:40:31.895Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--5068c7c3-5922-447a-bf49-8301e797e992", + "created": "2023-09-27T14:51:18.262Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:01:35.317Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) overwrote the serial-to-ethernet gateways with custom firmware to make systems either disabled, shutdown, and/or unrecoverable. (Citation: Ukraine15 - EISAC - 201603)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--50a2b289-7bce-405d-8515-c2b5424cce5c", @@ -36871,7 +41221,6 @@ "id": "relationship--50b3247a-ea71-455e-b299-f00666c05146", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", @@ -36896,7 +41245,6 @@ "id": "relationship--50c20664-75dc-451e-b026-67b1d309e4b5", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", @@ -36918,15 +41266,31 @@ }, { "type": "relationship", - "id": "relationship--5131c799-517c-4bad-ba97-46ad7de956e7", - "created": "2023-09-28T21:17:06.233Z", + "id": "relationship--50c2224e-7592-4400-afbb-6434e025bfd8", + "created": "2022-09-29T14:28:08.703Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-04-16T23:02:30.068Z", + "description": "Ensure embedded controls and network devices are protected through access management, as these devices often have unknown hardcoded accounts which could be used to gain unauthorized access.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--6b335943-c3af-430e-a135-ab09623bdc20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--5131c799-517c-4bad-ba97-46ad7de956e7", + "created": "2023-09-28T21:17:06.233Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:02:22.378Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -36934,12 +41298,53 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--513e6965-7ce0-47de-b2a0-8f0ba4978ce4", + "created": "2026-04-22T18:54:42.908Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T18:54:42.908Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--5152ea91-af3f-4317-81ca-b3cf910b471a", + "created": "2026-04-22T20:27:50.811Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:33:08.419Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries enabled TCP port 445 on Mikronika HMI devices creating a new firewall rule named \u201cMicrosoft Update\u201d.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--51957f0f-79e2-4716-beec-0fec67e4482f", "created": "2025-09-24T18:11:54.747Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -36956,7 +41361,6 @@ "id": "relationship--51eb15a3-48af-470f-94c0-10f25b366d72", "created": "2022-09-28T20:30:22.148Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos-Pipedream", @@ -36981,29 +41385,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-28T15:25:26.221Z", - "description": "Restrict unauthorized devices from accessing serial comm ports.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--51f9963c-c041-4bec-b482-5fda2fb5bca4", "created": "2019-06-24T17:20:24.258Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Catalin Cimpanu April 2016", @@ -37028,12 +41414,10 @@ "id": "relationship--5201c576-70a5-4b32-8dfd-dd8ac86f096c", "created": "2023-09-29T16:40:18.760Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:23.504Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -37080,12 +41464,10 @@ "id": "relationship--523777f8-4780-4716-807c-08a67450b916", "created": "2023-09-29T18:45:13.052Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:24.163Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -37098,12 +41480,10 @@ "id": "relationship--524ffb0f-40ae-4c97-a098-d14001fffa31", "created": "2023-09-29T16:44:54.473Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:24.372Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -37116,12 +41496,10 @@ "id": "relationship--525d0a51-bbf9-4cda-aec9-562bb05bd3a0", "created": "2024-04-09T20:58:49.397Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:24.595Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -37129,6 +41507,23 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--527676d2-9dd0-40c6-8fc5-10209a82c986", + "created": "2023-09-28T20:04:44.041Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:03:39.033Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--52855d5d-e835-470f-a675-751c2779c861", @@ -37151,7 +41546,6 @@ "id": "relationship--529610e5-831f-48df-a22f-fa088b9f9e9e", "created": "2025-09-29T19:10:58.772Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -37165,15 +41559,30 @@ }, { "type": "relationship", - "id": "relationship--52bfd00c-2e5b-4e43-bba6-f3b46e241d7b", - "created": "2023-09-28T21:23:26.598Z", + "id": "relationship--52a592dd-61c0-4884-a680-0d6f9112077e", + "created": "2026-04-22T21:35:28.147Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T21:35:28.147Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--52bfd00c-2e5b-4e43-bba6-f3b46e241d7b", + "created": "2023-09-28T21:23:26.598Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:02:25.027Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -37210,12 +41619,10 @@ "id": "relationship--52e828db-58d0-443e-8d94-54d265d9606e", "created": "2023-09-29T17:42:01.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:25.441Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -37225,49 +41632,26 @@ }, { "type": "relationship", - "id": "relationship--531e0589-0dad-444d-aca4-6198ba5d9fcd", - "created": "2020-09-21T17:59:24.739Z", + "id": "relationship--5338abbc-11f7-44e4-b97e-5439c1c1b45b", + "created": "2023-10-02T20:20:32.163Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "Karen Scarfone; Paul Hoffman September 2009", - "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", - "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" - }, - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - }, - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - }, - { - "source_name": "Dwight Anderson 2014", - "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", - "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" - } - ], + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:25:28.236Z", - "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "modified": "2025-04-16T23:05:26.944Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--533bd747-2567-4c53-a10b-938734f8aeab", "created": "2024-03-25T17:59:02.526Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "FireEye TRITON Dec 2017", @@ -37306,7 +41690,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--f9b7143b-ce86-4cfb-a03a-f39c01904fb1", "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", @@ -37319,7 +41702,6 @@ "id": "relationship--535c5160-17e0-44eb-9f4b-1a8e216b56a2", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", @@ -37339,12 +41721,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--53754728-a86b-4db2-b4de-197bd491167f", + "created": "2026-04-22T16:30:09.937Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:30:09.937Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--ff6456fc-576d-4da5-b561-b58f70961b15", + "target_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--538e5653-137a-4ce2-8b08-5ba69caa794a", "created": "2024-03-25T17:58:07.886Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "FireEye TRITON Dec 2017", @@ -37374,7 +41772,6 @@ "id": "relationship--53a54e4a-2b38-4b0c-8f60-252a68767443", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", @@ -37399,7 +41796,6 @@ "id": "relationship--53af6987-21bb-46fd-bf85-e3eeaa74de1a", "created": "2023-03-30T14:08:23.251Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "CISA June 2013", @@ -37424,12 +41820,10 @@ "id": "relationship--53d7a78d-1431-49e8-944c-62c875e58a20", "created": "2023-09-29T17:08:37.793Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:26.835Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", @@ -37442,7 +41836,6 @@ "id": "relationship--5424e327-396f-4b07-94a3-408ffc915686", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos", @@ -37472,12 +41865,10 @@ "id": "relationship--5425d1cd-8840-4640-90a3-72f3bd7151bd", "created": "2023-09-29T17:44:32.341Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:27.265Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -37490,12 +41881,10 @@ "id": "relationship--544e996c-0bdc-42b2-91af-14c27d4213b9", "created": "2023-09-28T21:09:23.185Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:27.495Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -37503,17 +41892,40 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--544f0447-0f37-4b1c-b424-3fbcdee15e63", + "created": "2026-04-23T00:40:43.328Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T20:10:25.500Z", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems.(Citation: Department of Homeland Security September 2016)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--54a7bc3f-c05f-4fb3-a980-ffc8750a0a56", "created": "2023-09-28T20:10:44.014Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:27.715Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -37526,7 +41938,6 @@ "id": "relationship--54a977df-ca85-43b2-b2bc-96fdcd23aa9b", "created": "2023-03-30T19:24:38.022Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Industroyer2 Mandiant April 2022", @@ -37546,6 +41957,57 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--5542d884-ac75-4e1f-9d60-29add89c8567", + "created": "2025-09-29T19:02:48.640Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-09-29T19:02:48.640Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--55adf560-78f2-4804-a135-ec49bb70c6a4", + "created": "2026-04-22T16:38:28.001Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:38:28.001Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--56636da0-ea2b-4c51-87d2-f7fcff26ea1a", + "created": "2026-04-22T18:57:23.003Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T18:57:23.003Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--56672ea4-cbf0-4a3e-8aed-edcc7d33133b", @@ -37585,35 +42047,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--5677e801-bd49-404b-b54a-6b00da52530c", - "created": "2023-09-29T16:39:01.824Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:02:29.175Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--56896f6b-27fe-4396-bfea-d3c1a7580b18", "created": "2023-09-29T18:05:18.147Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:29.624Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -37621,12 +42063,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--56a561d2-5230-4456-99b5-989dbeac715c", + "created": "2025-09-24T18:20:10.625Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-09-24T18:20:10.625Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "target_ref": "x-mitre-asset--bb141168-ae41-4974-8ece-dc9b63e59237", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--56dcc2d7-5243-4a5d-a556-8723642e98a4", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Jos Wetzels January 2018", @@ -37651,7 +42109,6 @@ "id": "relationship--56f22365-3711-468a-8f57-ee4193bf1ee8", "created": "2025-09-29T21:57:55.280Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -37663,66 +42120,6 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, - { - "type": "relationship", - "id": "relationship--570f630b-ee41-490f-a909-d2f15b5ad459", - "created": "2025-09-29T22:06:21.839Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-09-29T22:06:21.839Z", - "relationship_type": "targets", - "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.3.0" - }, - { - "type": "relationship", - "id": "relationship--5714c88f-ca54-46b6-b072-cd1d24714ae0", - "created": "2022-09-29T14:28:08.703Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:02:30.068Z", - "description": "Ensure embedded controls and network devices are protected through access management, as these devices often have unknown hardcoded accounts which could be used to gain unauthorized access.", - "relationship_type": "mitigates", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, - { - "type": "relationship", - "id": "relationship--57510758-786a-4f0a-aab2-101eaf4e7b9f", - "created": "2023-09-27T14:48:05.715Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Ukraine15 - EISAC - 201603", - "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", - "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:02:30.269Z", - "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked command messages by using malicious firmware to render serial-to-ethernet converters inoperable. (Citation: Ukraine15 - EISAC - 201603)", - "relationship_type": "uses", - "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88", @@ -37745,12 +42142,10 @@ "id": "relationship--577b53a0-44ff-4cc4-b571-455d61e596c0", "created": "2023-09-28T20:27:17.431Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:30.910Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -37763,7 +42158,6 @@ "id": "relationship--578117b2-0f4b-4d75-a2dc-3ee45976e616", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Department of Homeland Security October 2009", @@ -37783,12 +42177,36 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--57abea59-09c3-496f-a6b9-21c6a0cb9b7a", + "created": "2026-04-22T20:17:22.389Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:03:30.830Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used the `nircmd` utility to capture screenshots of systems.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--57e8711a-9aae-4a22-94d4-f4c8a3a8f141", "created": "2023-03-31T18:12:35.414Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "ESET Industroyer", @@ -37818,7 +42236,6 @@ "id": "relationship--57ff803c-0380-4176-bb42-f7bb30e79fec", "created": "2025-09-29T19:58:27.480Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -37847,6 +42264,23 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--5812613d-e4ef-4201-a717-c7f239daeaf3", + "created": "2026-04-22T22:48:32.057Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:48:32.057Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--bb141168-ae41-4974-8ece-dc9b63e59237", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--58269882-7e8d-4d24-b7a3-dbef6196cb61", @@ -37871,6 +42305,39 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--582aca6c-d421-4c84-89fc-f52e87cc306a", + "created": "2026-04-22T18:55:28.835Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T18:55:28.835Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--58978012-8185-4a15-9bbc-6bdb33c91039", + "created": "2026-04-20T20:54:16.595Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:16.595Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", + "target_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94", @@ -37893,12 +42360,10 @@ "id": "relationship--58a95ec2-0079-4d58-a7ed-02664c1095ba", "created": "2023-09-28T19:38:03.976Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:32.268Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -37923,17 +42388,50 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--58edd7e0-7b54-4ac5-8e84-81e2dfb03a71", + "created": "2026-04-22T22:21:11.962Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "LockerGoga Revisited", + "description": "Joe Slowik. (2020, March 17). Spyware Stealer Locker Wiper: LockerGoga Revisited. Retrieved April 22, 2026.", + "url": "https://www.dragos.com/blog/industry-news/spyware-stealer-locker-wiper-lockergoga-revisited/" + }, + { + "source_name": "Kevin Beaumont", + "description": "Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ", + "url": "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880" + }, + { + "source_name": "Detecting LockerGoga", + "description": "Oleg Kolesnikov and Harshvardhan Parashar. (2019, April 30). Detecting LockerGoga Targeted IT/OT Cyber Sabotage/Ransomware Attacks. Retrieved April 22, 2026.", + "url": "https://www.securonix.com/wp-content/uploads/2021/07/Securonix-Threat-Research-Report-Detecting-LockerGoga.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T18:35:28.172Z", + "description": "[LockerGoga](https://attack.mitre.org/software/S0372) had blocked network communications by disabling all the network interfaces on the system via netsh.exe.(Citation: LockerGoga Revisited)(Citation: Kevin Beaumont)(Citation: Detecting LockerGoga)", + "relationship_type": "uses", + "source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", + "target_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--58f5c89c-7ed2-4e14-ac07-6e95da16e2f1", "created": "2023-09-28T20:27:33.713Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:32.703Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -37941,6 +42439,31 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--58fdcdd1-d3e2-43b4-80a8-8f9ba7f967c2", + "created": "2026-04-22T20:23:50.776Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:23:50.776Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used DynoWiper and built-in commands to destroy data on Mikronika RTUs, Hitachi Relion Protection and Control Relays (IEDs), and HMI workstations.(Citation: CERT Polska)\n\nDuring the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used LazyWiper to destroy data at a manufacturing sector company.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c", @@ -37980,7 +42503,6 @@ "id": "relationship--591620d3-5549-49db-9080-43f86a68a590", "created": "2021-04-13T12:08:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "DHS CISA February 2019", @@ -38000,12 +42522,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--5916d742-2fcf-4421-b3c1-e4370cabfa13", + "created": "2026-04-22T18:57:02.202Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T18:57:02.202Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--5924f411-11f0-4ac9-94b5-0f8dec844999", "created": "2025-09-29T19:51:26.488Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -38017,17 +42555,40 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--59685dcb-3076-4171-b43f-0ddca6555dc0", + "created": "2026-04-23T14:30:09.007Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T14:30:09.007Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can modified program logic on Omron PLCs using either the program download or backup transfer functions available through the HTTP server.(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--5968cbde-b3da-46df-a8bd-a30c2d85363b", "created": "2023-09-28T21:28:21.910Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:33.839Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -38035,17 +42596,40 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--598386c1-778c-41b7-af1e-e0947651f4ca", + "created": "2026-04-23T00:27:58.043Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T20:12:29.219Z", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.(Citation: Department of Homeland Security September 2016)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--59b53303-e4df-49ec-8e5a-812f2b4265a8", "created": "2023-09-29T17:09:25.690Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:34.042Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", @@ -38058,7 +42642,6 @@ "id": "relationship--59cb471f-ad8b-464f-ab8f-c267f329b0dc", "created": "2023-03-10T20:30:43.206Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Marshall Abrams July 2008", @@ -38083,7 +42666,6 @@ "id": "relationship--5a43a422-4235-44b8-87e4-bc82e83d44f3", "created": "2025-09-24T18:13:43.955Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -38097,15 +42679,30 @@ }, { "type": "relationship", - "id": "relationship--5a97008b-c23b-4890-ba76-c30cf2a18fba", - "created": "2023-09-28T20:07:36.295Z", + "id": "relationship--5a96d5e3-4c95-4312-a43a-b986d9bb5781", + "created": "2026-04-22T22:50:54.223Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T22:50:54.223Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--5a97008b-c23b-4890-ba76-c30cf2a18fba", + "created": "2023-09-28T20:07:36.295Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:02:35.030Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -38118,7 +42715,6 @@ "id": "relationship--5adfe50f-938b-4d8e-885d-0c0ebf43bdcd", "created": "2025-09-24T18:21:38.152Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -38149,15 +42745,48 @@ }, { "type": "relationship", - "id": "relationship--5b14c813-09e2-4709-ab42-94830cf9538c", - "created": "2023-09-29T18:42:39.876Z", + "id": "relationship--5ae382ac-27c6-480a-9269-241751553c52", + "created": "2023-09-28T20:04:54.213Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-04-16T23:04:07.564Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--5b060600-e8b8-4dd8-8ed7-aadbccb8e2a8", + "created": "2026-04-22T16:04:28.120Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:52:40.357Z", + "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--5b14c813-09e2-4709-ab42-94830cf9538c", + "created": "2023-09-29T18:42:39.876Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:02:35.448Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -38170,7 +42799,6 @@ "id": "relationship--5b701c8d-374a-4a6b-a695-b5c7a747ceb2", "created": "2024-11-20T23:09:31.950Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos FROSTYGOOP 2024", @@ -38195,7 +42823,6 @@ "id": "relationship--5bad41f1-7a3f-42c6-9b9d-6975212697e2", "created": "2025-09-29T21:59:28.930Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -38212,7 +42839,6 @@ "id": "relationship--5bb313a8-8407-4ec1-a4b0-683ded7f3302", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", @@ -38237,6 +42863,23 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--5bd2b468-10de-4346-80f0-f46f25707069", + "created": "2025-09-29T19:15:19.909Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-09-29T19:15:19.909Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad", @@ -38259,7 +42902,6 @@ "id": "relationship--5beda54d-cd1f-491b-a85e-d7618a0683ad", "created": "2024-03-28T14:28:10.742Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "FireEye TRITON Dec 2017", @@ -38284,7 +42926,6 @@ "id": "relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -38299,35 +42940,26 @@ }, { "type": "relationship", - "id": "relationship--5c0bdf4c-233f-42cd-8900-2a5cc8c9387c", - "created": "2018-10-17T00:14:20.652Z", + "id": "relationship--5bfb710a-02bb-4c4a-8f4a-8a7fe66c453f", + "created": "2023-09-28T20:02:35.354Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, - "external_references": [ - { - "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", - "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", - "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:02:36.747Z", - "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", - "relationship_type": "uses", - "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", - "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "modified": "2025-04-16T23:02:11.638Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--5c47a389-30fb-4d42-935d-282c29b67feb", "created": "2025-09-29T19:32:38.792Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -38344,7 +42976,6 @@ "id": "relationship--5c4add91-8956-4d66-a5e9-d17e7ee92cfb", "created": "2025-09-29T19:25:44.519Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -38361,12 +42992,10 @@ "id": "relationship--5c61c8a2-bfff-43fb-8397-bff864413d74", "created": "2023-09-29T17:06:09.673Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:36.954Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", @@ -38379,7 +43008,6 @@ "id": "relationship--5c8c8976-2cac-4185-9719-ef55c1032d6a", "created": "2024-11-20T23:06:24.432Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos FROSTYGOOP 2024", @@ -38455,25 +43083,41 @@ "id": "relationship--5d4f6aff-650c-45fe-a9d8-2080d3ea02d7", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:02:38.316Z", - "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", + "modified": "2025-12-24T17:46:20.771Z", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--5d788a27-a1ba-4f22-aa03-b43875d6ace1", + "created": "2026-04-23T00:03:16.026Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:29:27.421Z", + "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--5d9d7c5d-c455-4bcc-9d2c-80f6746632b9", "created": "2025-09-29T19:06:40.704Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -38490,7 +43134,6 @@ "id": "relationship--5db3a67e-8a3a-479e-a723-fe0f0c9e3563", "created": "2025-09-24T18:03:44.816Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -38502,6 +43145,23 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--5dcf5ba3-bfa8-4aa4-be5f-e5aea64b3591", + "created": "2023-09-28T19:49:43.417Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:02:15.147Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--5de6bf53-0a02-439b-a8d0-248fa9640a36", @@ -38548,7 +43208,6 @@ "id": "relationship--5e099568-fb5c-4f58-af7e-4e1b7a9d1128", "created": "2021-04-12T18:49:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Tom Fakterman August 2019", @@ -38573,12 +43232,10 @@ "id": "relationship--5e324da5-0fee-4dac-b289-410d560e03e9", "created": "2023-09-28T19:46:49.255Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:39.172Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -38588,15 +43245,30 @@ }, { "type": "relationship", - "id": "relationship--5ee01089-2ab6-4cf5-a39d-adf72666eceb", - "created": "2023-09-28T20:16:28.582Z", + "id": "relationship--5ebb309c-98a9-415a-8c22-2308f69a19b0", + "created": "2026-04-22T21:42:11.042Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T21:42:11.042Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--5ee01089-2ab6-4cf5-a39d-adf72666eceb", + "created": "2023-09-28T20:16:28.582Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:02:39.400Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -38628,12 +43300,29 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--5f4badb1-5583-4101-84e4-5b6ebdb0c463", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:01:17.963Z", + "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--5f57e37e-fa3e-4cb6-973e-7e69f61a65c2", "created": "2025-09-24T18:24:03.660Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -38650,7 +43339,6 @@ "id": "relationship--5f5c38f6-aa3e-4447-a2d3-a76830ab36b0", "created": "2023-09-25T20:49:49.605Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -38665,39 +43353,20 @@ }, { "type": "relationship", - "id": "relationship--5ff26c96-c610-4669-b44e-d6318205be5a", - "created": "2023-09-29T16:43:28.841Z", + "id": "relationship--5fd9eaf1-7517-4110-9df1-1e0374a924a9", + "created": "2026-04-22T20:39:13.266Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:02:40.092Z", - "description": "", + "modified": "2026-04-22T20:39:13.266Z", "relationship_type": "targets", - "source_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--bb141168-ae41-4974-8ece-dc9b63e59237", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, - { - "type": "relationship", - "id": "relationship--600f0115-94e3-49bf-afa6-0180b3367b94", - "created": "2023-09-28T20:06:15.180Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:02:40.318Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", - "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", @@ -38721,12 +43390,10 @@ "id": "relationship--604e1830-11ac-4ccf-a1d0-b22b80c1b024", "created": "2023-09-29T18:07:18.253Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:40.768Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -38734,17 +43401,40 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--605dcc44-9e1c-42a9-bc0f-5dfa81444022", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:02:44.640Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) uses the first COM port from the configuration file for the communication and the other two COM ports are opened to prevent other processes accessing them. This may block processes or operators from getting reporting messages from a device. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--605f3853-b007-4134-8a2d-6a81a35e7676", "created": "2023-09-29T18:48:05.559Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:40.983Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -38757,12 +43447,10 @@ "id": "relationship--6067c069-8e93-4bf0-bb49-97538d55c3de", "created": "2024-04-09T20:58:32.884Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:41.206Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -38770,12 +43458,46 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--6079656e-d391-4de7-aeff-20c0f00f68c3", + "created": "2026-04-23T00:27:40.717Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:35:16.431Z", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--60e80053-046c-4f53-b1cb-8778cbda8937", + "created": "2026-04-22T18:55:04.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T18:55:04.275Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--610af67a-5e9a-4f10-a88f-d74451e0bac1", "created": "2025-09-24T18:13:14.589Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -38792,7 +43514,6 @@ "id": "relationship--6124eea3-34b1-4829-89b7-d837910515e6", "created": "2025-09-29T19:54:27.561Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -38848,7 +43569,6 @@ "id": "relationship--61869a8e-d6da-478a-b770-47f97beae8b4", "created": "2024-08-15T21:59:43.124Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "NCSC CISA Cyclops Blink Advisory February 2022", @@ -38868,12 +43588,29 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--619b3740-df20-4974-858f-f8067749d7b0", + "created": "2026-04-23T00:05:26.725Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:33:57.609Z", + "description": "Filter for protocols and payloads associated with program download activity to prevent unauthorized device configurations.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--6258c355-677c-452d-b1fc-27767232437b", "created": "2019-03-26T16:19:52.358Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Joe Slowik April 2019", @@ -38898,12 +43635,10 @@ "id": "relationship--62abe387-10a2-414b-881c-060b70db2157", "created": "2023-09-28T20:08:39.992Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:42.273Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -38916,7 +43651,6 @@ "id": "relationship--62e818b8-38e6-42ff-9424-9a327332eb2a", "created": "2022-09-29T20:02:37.671Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "ESET Industroyer", @@ -38941,12 +43675,10 @@ "id": "relationship--630eb861-eb37-4258-9dbd-87789df2257a", "created": "2024-03-26T15:41:26.772Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:42.705Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -38992,7 +43724,6 @@ "id": "relationship--63453d2f-30f6-40ab-b32c-506d940ecd20", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -39007,15 +43738,31 @@ }, { "type": "relationship", - "id": "relationship--639148fb-d0a5-4a2f-b6a3-a5ceb83d620b", - "created": "2023-09-29T17:44:55.599Z", + "id": "relationship--636a70d1-dd76-4633-b960-e64459f87299", + "created": "2026-04-22T22:53:08.394Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-23T17:16:43.591Z", + "description": "Ensure systems and devices have an alternative method for communicating in the event that Wi-Fi communication channels become unavailable.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--639148fb-d0a5-4a2f-b6a3-a5ceb83d620b", + "created": "2023-09-29T17:44:55.599Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:02:43.745Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -39028,7 +43775,6 @@ "id": "relationship--63ca148e-12c9-4090-b51e-a8fb7a847a2a", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "DHS CISA February 2019", @@ -39058,12 +43804,10 @@ "id": "relationship--63f863e5-7c00-4474-8e43-bbe8bfb05cc3", "created": "2023-09-29T16:43:05.495Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:44.216Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -39071,12 +43815,45 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--6420b4b9-3536-4a9b-b53d-6780242f38cf", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--de675cf4-144e-485c-a761-c72ebcb9e2bc", + "target_ref": "attack-pattern--6b335943-c3af-430e-a135-ab09623bdc20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--6421e980-4f75-4e13-a207-a9583bd28c4a", + "created": "2026-04-22T20:42:33.462Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:42:33.462Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--642cae89-bb5c-46f3-9fea-8d747b930c35", "created": "2023-03-10T20:11:10.018Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Marshall Abrams July 2008", @@ -39098,28 +43875,37 @@ }, { "type": "relationship", - "id": "relationship--648c6649-5861-4b43-a7e5-a9665bafb576", - "created": "2018-10-17T00:14:20.652Z", + "id": "relationship--642f4d65-04ea-4662-bc1c-5fba12aa4fc1", + "created": "2026-04-23T16:45:04.370Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:02:44.640Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604) uses the first COM port from the configuration file for the communication and the other two COM ports are opened to prevent other processes accessing them. This may block processes or operators from getting reporting messages from a device. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "modified": "2026-04-23T16:45:04.370Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--645d5380-c5e5-4ee6-8ebb-11a0cd44cc08", + "created": "2026-04-23T16:29:09.403Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T16:29:09.403Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", @@ -39143,7 +43929,6 @@ "id": "relationship--64f14b30-f71e-4429-b16e-160ae5e346f0", "created": "2025-09-24T18:20:25.164Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -39155,12 +43940,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--64f31c4f-a525-469c-8f2f-370dcd321314", + "created": "2023-10-02T20:21:16.665Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:03:35.161Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6b335943-c3af-430e-a135-ab09623bdc20", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--650bca94-b9ad-45dd-90c9-83481247711a", "created": "2025-09-29T22:02:00.622Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -39201,12 +44002,10 @@ "id": "relationship--652c1e77-cfea-4452-9762-5ba16f874119", "created": "2023-09-29T17:58:42.002Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:45.324Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -39219,7 +44018,6 @@ "id": "relationship--6573327e-3757-424e-8570-04ffe7d5d0e2", "created": "2023-09-27T14:53:25.385Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", @@ -39239,34 +44037,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--65a45501-10de-46a2-89bf-03bbf17aba33", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-28T15:25:41.115Z", - "description": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--65aa5a0d-926c-4b04-9509-f66a99639877", "created": "2023-09-29T17:41:34.892Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:46.215Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -39274,12 +44053,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--65ab0305-9fe2-4af4-a11e-b8d272493ad1", + "created": "2026-04-22T20:37:52.099Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:37:52.099Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--65adbdda-7069-40ed-9825-b79ec87e4916", "created": "2021-09-21T15:47:37.522Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "CrowdStrike Carbon Spider August 2021", @@ -39319,12 +44114,10 @@ "id": "relationship--65d42e15-749b-4f86-86c5-b9f1da1e60c5", "created": "2023-09-28T21:25:34.304Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:46.527Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -39337,12 +44130,10 @@ "id": "relationship--65e25631-05de-4ce2-88cc-52f91cfbdaf2", "created": "2023-10-02T20:18:54.267Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:46.764Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", @@ -39355,7 +44146,6 @@ "id": "relationship--6603a100-d655-4e6b-8d38-73c11b89dde4", "created": "2019-03-26T16:19:52.358Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Joe Slowik April 2019", @@ -39397,7 +44187,6 @@ "id": "relationship--665587ee-1524-4334-9580-2b448c417542", "created": "2023-03-30T19:26:07.209Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Industroyer2 Mandiant April 2022", @@ -39422,30 +44211,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--66738beb-0a33-4d70-baec-8307b5b34f80", - "created": "2023-09-28T20:16:05.975Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:02:47.650Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--6681bc38-0b55-4714-b690-c609956b40bf", "created": "2022-09-28T20:27:33.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "CISA-AA22-103A", @@ -39475,7 +44245,6 @@ "id": "relationship--668f8c4b-225a-4287-ac5b-7717a4f75b5d", "created": "2023-03-10T20:32:02.472Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Marshall Abrams July 2008", @@ -39507,11 +44276,6 @@ "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" }, - { - "source_name": "Dragos-Pipedream", - "description": "DRAGOS. (2022, April 13). Pipedream: Chernovite\u2019s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.", - "url": "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en" - }, { "source_name": "Wylie-22", "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", @@ -39521,26 +44285,24 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:02:48.321Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can perform a UDP multicast scan of UDP port 27127 to identify Schneider PLCs that use that port for the NetManage protocol.(Citation: Dragos-Pipedream)(Citation: Wylie-22)\n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the FINS (Factory Interface Network Service) protocol to scan for and obtain MAC address associated with Omron devices.(Citation: CISA-AA22-103A)(Citation: Wylie-22)\n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) has the ability to perform scans for TCP port 4840 to identify devices running OPC UA servers.(Citation: Wylie-22)", + "modified": "2026-04-23T14:20:50.156Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the FINS (Factory Interface Network Service) protocol to scan for and obtain MAC address associated with Omron devices.(Citation: CISA-AA22-103A)(Citation: Wylie-22)", "relationship_type": "uses", "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--66d041e2-d9e8-46cc-88ee-8e5c1cec8702", "created": "2023-09-29T17:43:31.956Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:48.549Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -39553,12 +44315,10 @@ "id": "relationship--66d8f3d7-68e0-48a0-a563-4746922080fc", "created": "2024-04-09T20:48:46.756Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:49.011Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -39571,7 +44331,6 @@ "id": "relationship--66eb9d6f-498b-4a9a-94d3-fe808460bb68", "created": "2024-09-11T22:50:15.550Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Claroty Fuxnet 2024", @@ -39596,7 +44355,6 @@ "id": "relationship--66f79019-d52c-46a6-b605-c2335d1d3d20", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", @@ -39642,15 +44400,30 @@ }, { "type": "relationship", - "id": "relationship--6754195a-99cd-4b45-bafd-4a374ae79bbd", - "created": "2023-09-29T18:02:52.119Z", + "id": "relationship--672329b4-2695-4373-a2e4-0fc16c75cc13", + "created": "2025-09-24T18:12:25.320Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-09-24T18:12:25.320Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "target_ref": "x-mitre-asset--bb553fda-8355-40bc-87c6-5ae25124fa95", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--6754195a-99cd-4b45-bafd-4a374ae79bbd", + "created": "2023-09-29T18:02:52.119Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:02:49.950Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -39663,12 +44436,10 @@ "id": "relationship--6795c92f-848f-488e-9c25-d240f99c9b34", "created": "2023-09-28T21:23:39.333Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:50.161Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -39685,7 +44456,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--9ad17e7a-5920-42ac-9bf4-545b99162640", "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", @@ -39698,7 +44468,6 @@ "id": "relationship--679e7b8d-57d7-4c1d-8f42-1496606ea666", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Jeff Jones May 2018", @@ -39723,12 +44492,10 @@ "id": "relationship--67ae8423-c401-4c11-93d3-0454c288d934", "created": "2023-09-29T16:31:57.421Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:50.822Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -39741,12 +44508,10 @@ "id": "relationship--67dae594-4239-4756-a0bc-dee75de19e4c", "created": "2023-09-29T17:07:14.259Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:51.045Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", @@ -39754,12 +44519,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--67dd6b59-ef78-4732-beb8-4917156b6382", + "created": "2026-04-22T20:18:36.361Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:18:36.361Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--67e11f38-9f68-4989-8de3-da65af52063e", "created": "2023-03-30T19:24:54.896Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Industroyer2 ESET April 2022", @@ -39789,7 +44570,6 @@ "id": "relationship--67ed5edc-fd57-4b1c-9677-8f0758154526", "created": "2025-09-29T19:04:04.581Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -39823,12 +44603,10 @@ "id": "relationship--685249f9-e51a-4914-8b7f-09679e04198b", "created": "2023-09-28T19:49:11.359Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:51.723Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -39853,30 +44631,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--688d2041-5c8b-47e0-86e1-a8d16134bdb1", - "created": "2023-09-28T19:39:25.832Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:02:52.150Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", - "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--6895e54e-3968-41a9-9013-a082cd46fa44", "created": "2020-05-14T14:40:26.221Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Red Canary Hospital Thwarted Ryuk October 2020", @@ -39916,7 +44675,7 @@ { "source_name": "Mandiant FIN12 Oct 2021", "description": "Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.", - "url": "https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" + "url": "https://web.archive.org/web/20220313061955/https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" }, { "source_name": "DFIR Ryuk 2 Hour Speed Run November 2020", @@ -39937,49 +44696,15 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T22:20:55.390Z", + "modified": "2026-01-20T16:26:04.865Z", "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)(Citation: Sophos New Ryuk Attack October 2020)(Citation: CrowdStrike Wizard Spider October 2020)(Citation: Mandiant FIN12 Oct 2021)(Citation: Microsoft Ransomware as a Service)", "relationship_type": "uses", "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", "target_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, - { - "type": "relationship", - "id": "relationship--68c5a109-9dab-4bf1-953f-05e891bb41ca", - "created": "2025-09-29T19:16:08.208Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-09-29T19:16:08.208Z", - "relationship_type": "targets", - "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, - { - "type": "relationship", - "id": "relationship--68d30c45-766f-48b6-9405-0c969243332b", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-28T15:25:44.887Z", - "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--68e0f740-e04d-492c-b735-ce75f86a62f5", @@ -39989,7 +44714,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--e9f6c9ad-7368-43e3-9ba1-c9261323a1d1", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", @@ -40002,7 +44726,6 @@ "id": "relationship--691d1193-193a-4433-9a2e-1eb3fa239de6", "created": "2025-09-24T18:20:00.603Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -40014,12 +44737,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--692240ba-667e-4f37-9f35-f354240c5bdc", + "created": "2023-09-29T16:46:50.699Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:03:57.362Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--692324b4-064a-430c-8ffc-7f7acd537778", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Symantec", @@ -40044,12 +44783,10 @@ "id": "relationship--692ff921-c74d-40a4-ab31-879aba5f247a", "created": "2023-09-29T16:42:01.287Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:53.380Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -40079,7 +44816,6 @@ "id": "relationship--69889c90-e6d0-4007-9078-2bfbd7c18a91", "created": "2024-03-25T20:11:07.813Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "CISA AA23-335A IRGC-Affiliated December 2023", @@ -40109,7 +44845,6 @@ "id": "relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "IEC February 2019", @@ -40131,15 +44866,30 @@ }, { "type": "relationship", - "id": "relationship--69cf4015-fae1-47f6-9253-1f99209288a5", - "created": "2023-09-29T16:27:34.964Z", + "id": "relationship--69963190-c0a1-4518-922f-0f6153e1f6a6", + "created": "2026-04-23T00:02:50.392Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-23T00:02:50.392Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--69cf4015-fae1-47f6-9253-1f99209288a5", + "created": "2023-09-29T16:27:34.964Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:02:54.220Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -40152,7 +44902,6 @@ "id": "relationship--69d19946-72fb-40ce-90fb-0757df8353b5", "created": "2024-11-20T23:05:29.090Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos FROSTYGOOP 2024", @@ -40172,30 +44921,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--69f4ed24-c2f7-49e1-99a2-350cc2795820", - "created": "2023-09-29T17:44:19.135Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:02:54.629Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", - "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--69f5ca66-8334-47e1-920e-b9320e007c3b", "created": "2025-09-24T17:56:30.277Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -40209,15 +44939,49 @@ }, { "type": "relationship", - "id": "relationship--6a476f56-2c07-43be-8054-d978ee8eb924", - "created": "2023-09-29T16:42:12.160Z", + "id": "relationship--69f9597e-a47d-49bb-a182-376349f979ef", + "created": "2026-04-22T13:31:06.137Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-23T15:20:53.842Z", + "description": "Provide an alternative method for sending critical commands message to outstations, this could include using radio/cell communication to send messages to a field technician that physically performs the control function.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--6a314797-9105-44e3-be5f-41b817454daf", + "created": "2026-04-23T00:27:00.713Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:33:16.859Z", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--6a476f56-2c07-43be-8054-d978ee8eb924", + "created": "2023-09-29T16:42:12.160Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:02:54.854Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -40225,42 +44989,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--6a5922e1-e282-464d-9e71-ce2c2ed44908", - "created": "2023-03-30T19:25:53.572Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Industroyer2 Mandiant April 2022", - "description": "Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker. (2022, April 25). INDUSTROYER.V2: Old Malware Learns New Tricks. Retrieved March 30, 2023.", - "url": "https://www.mandiant.com/resources/blog/industroyer-v2-old-malware-new-tricks" - }, - { - "source_name": "Industroyer2 Forescout July 2022", - "description": "Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.", - "url": "https://www.forescout.com/resources/industroyer2-and-incontroller-report/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:02:55.057Z", - "description": "[Industroyer2](https://attack.mitre.org/software/S1072) is capable of sending command messages from the compromised device to target remote stations to open data channels, retrieve the location and values of Information Object Addresses (IOAs), and modify the IO state values through Select Before Operate I/O, Select/Execute, and Invert Default State operations.(Citation: Industroyer2 Mandiant April 2022)(Citation: Industroyer2 Forescout July 2022)", - "relationship_type": "uses", - "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--6ad39b3a-a962-457f-852c-be7fc615e22f", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Department of Homeland Security October 2009", @@ -40285,12 +45018,10 @@ "id": "relationship--6ad3b5cc-7ba1-4287-8c05-d02385f84f72", "created": "2023-09-29T16:31:22.789Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:55.918Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -40303,7 +45034,6 @@ "id": "relationship--6b0e8f60-ecdf-4140-9741-5b50df67353c", "created": "2024-03-25T20:06:37.050Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "CISA AA23-335A IRGC-Affiliated December 2023", @@ -40333,7 +45063,6 @@ "id": "relationship--6b33ae4d-2c8b-434f-994e-7e0b1413ff2c", "created": "2025-09-29T19:12:03.315Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -40345,24 +45074,6 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, - { - "type": "relationship", - "id": "relationship--6b54f354-9059-4366-8077-87360c4db2ab", - "created": "2023-10-02T20:18:20.019Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:02:56.338Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07", @@ -40402,7 +45113,6 @@ "id": "relationship--6baa9172-04e4-416d-a009-668cda23fd5d", "created": "2021-10-08T15:25:32.143Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", @@ -40422,6 +45132,24 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--6bbb12c3-171d-45a5-a01b-a74b0c0704f0", + "created": "2026-04-22T16:02:56.600Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:53:04.770Z", + "description": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--6be4cef2-3d54-4cd8-97df-8a8b37c03605", @@ -40465,15 +45193,30 @@ }, { "type": "relationship", - "id": "relationship--6c31c795-935a-41ad-8db1-d74430f4a553", - "created": "2023-09-29T18:56:59.151Z", + "id": "relationship--6c20bab8-3b4d-4cbc-83f5-ad032c7ecde3", + "created": "2026-04-22T13:45:46.984Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T13:45:46.984Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--6c31c795-935a-41ad-8db1-d74430f4a553", + "created": "2023-09-29T18:56:59.151Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:02:58.609Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", @@ -40486,12 +45229,10 @@ "id": "relationship--6c470aa0-b119-4078-80fc-2b66a4d6eac4", "created": "2023-09-28T20:09:36.756Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:58.835Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -40504,12 +45245,10 @@ "id": "relationship--6c9c1c11-c996-4d2b-bbed-d73ae30efd2e", "created": "2023-09-28T20:08:52.975Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:59.035Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -40517,6 +45256,31 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--6ce3bd17-de4c-4ff3-9f7d-ae30efae2b58", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:04:39.776Z", + "description": "In [Industroyer](https://attack.mitre.org/software/S0604) the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--6cf80e5b-075f-4220-83a5-dc471bb9244b", @@ -40526,7 +45290,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--f9ea25e7-6e63-4ef1-a8ad-47a4a261e175", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", @@ -40556,7 +45319,6 @@ "id": "relationship--6d822f86-5793-403a-b176-5d533f6b81b3", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", @@ -40578,57 +45340,47 @@ }, { "type": "relationship", - "id": "relationship--6e329090-fc8c-4a7f-bbf9-08067ad9ebe5", - "created": "2023-03-10T20:35:16.772Z", + "id": "relationship--6e37ae60-f8db-4305-8235-8711c6cb8a4a", + "created": "2025-09-29T19:16:08.208Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, - "external_references": [ - { - "source_name": "Marshall Abrams July 2008", - "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", - "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:02:59.730Z", - "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.(Citation: Marshall Abrams July 2008)", - "relationship_type": "uses", - "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "modified": "2025-09-29T19:16:08.208Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", - "id": "relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64", - "created": "2020-09-21T17:59:24.739Z", + "id": "relationship--6e5b9baf-8d51-4b1e-a0c4-09d4da904160", + "created": "2026-04-22T18:57:49.234Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:25:49.358Z", - "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "modified": "2026-04-22T18:57:49.234Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--6eafa3e9-f53f-43b5-ac24-1415b05b537f", "created": "2024-03-26T15:42:22.024Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:00.601Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -40636,12 +45388,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--6ec8c4c2-9bfc-43ef-a634-f43cb951e06e", + "created": "2026-04-22T20:24:39.993Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:24:39.993Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--6ed07095-c23a-4676-807f-a544deaeb274", "created": "2021-04-12T18:49:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "McAfee Labs October 2019", @@ -40688,12 +45456,10 @@ "id": "relationship--6f1479d9-dfd4-4baa-abd5-9847781ef9bf", "created": "2023-09-29T17:41:50.116Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:01.272Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -40701,6 +45467,23 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--6f269b4c-b338-4b62-8a1a-f08268999b5c", + "created": "2026-04-23T00:01:57.093Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:01:57.093Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f", @@ -40723,12 +45506,10 @@ "id": "relationship--6f2ddada-d7df-4788-b5d1-9add185142e0", "created": "2023-09-28T20:02:57.330Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:01.724Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -40741,12 +45522,10 @@ "id": "relationship--6f72c60e-2739-40b6-b6a9-66d2a3d1833e", "created": "2023-09-28T21:27:14.172Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:01.937Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -40756,15 +45535,31 @@ }, { "type": "relationship", - "id": "relationship--6f950c91-125b-46a0-aa40-239b4de2306a", - "created": "2023-09-28T21:14:03.305Z", + "id": "relationship--6f815d4c-0512-4d92-bcdf-068034233048", + "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-04-28T15:26:56.507Z", + "description": "Implement network allowlists to minimize serial comm port access to only authorized hosts, such as comm servers and RTUs.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--6f950c91-125b-46a0-aa40-239b4de2306a", + "created": "2023-09-28T21:14:03.305Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:03:02.130Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -40777,7 +45572,6 @@ "id": "relationship--6f9e3f69-ac1c-479e-ae2d-73dd1413d4dd", "created": "2024-09-11T23:00:00.833Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Claroty Fuxnet 2024", @@ -40802,7 +45596,6 @@ "id": "relationship--6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", @@ -40822,12 +45615,36 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--6fb4c5ec-4079-4419-a098-6e3cf026c360", + "created": "2023-09-27T14:54:12.586Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:02:05.999Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) overwrote the serial-to-ethernet converter firmware, rendering the devices not operational. This meant that communication to the downstream serial devices was either not possible or more difficult. (Citation: Booz Allen Hamilton)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--6ff846b1-9444-45f1-837a-4eeeb16bdfe7", "created": "2023-03-30T19:25:22.673Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Industroyer2 Forescout July 2022", @@ -40847,6 +45664,24 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--703adc98-d4d1-409e-bf20-4e65921ae52f", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-28T15:26:58.701Z", + "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--7041d8e5-3b74-402a-86b3-fd59def80632", @@ -40871,12 +45706,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--706bf21c-0722-43b3-8729-60370f648796", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--e69d1e15-76e1-434c-bd45-0354a10dde8a", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--709c4e40-c5c6-405b-bc3d-0adfea40ccd4", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "DHS CISA February 2019", @@ -40901,7 +45752,6 @@ "id": "relationship--71422483-33e4-4131-a4ec-40322d91d8a0", "created": "2019-06-24T17:20:24.258Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Catalin Cimpanu April 2016", @@ -40931,12 +45781,10 @@ "id": "relationship--71a2c3f5-7383-4bd8-a830-dc2aae62a977", "created": "2023-09-28T19:55:37.459Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:04.320Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -40966,7 +45814,6 @@ "id": "relationship--71e9230d-eec8-4ce1-bc96-9288bacc8b13", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -40979,12 +45826,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--71f61677-4406-4484-bacb-c8de82c7e1bd", + "created": "2026-04-22T14:33:24.324Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T14:33:24.324Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--f487a605-0acb-4b12-b157-33b75ebd9a40", + "target_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--7200f777-0ddd-4c9c-a022-26d49ea524d3", "created": "2024-09-11T23:00:48.583Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Claroty Fuxnet 2024", @@ -41004,29 +45867,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--7205e59d-c09a-4b06-b1fc-cee61ef8344d", - "created": "2025-09-29T19:15:19.909Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-09-29T19:15:19.909Z", - "relationship_type": "targets", - "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", - "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.3.0" - }, { "type": "relationship", "id": "relationship--7258c355-677c-452d-b1fc-27767232437b", "created": "2019-03-26T16:19:52.358Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "David Voreacos, Katherine Chinglinsky, Riley Griffin December 2019", @@ -41046,12 +45891,29 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--72848957-910f-4fa5-8a59-383c0a9dae62", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-28T15:25:17.653Z", + "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--730580d4-d68c-407f-9d09-f379e9aefc7e", "created": "2023-03-30T19:25:41.475Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Industroyer2 Forescout July 2022", @@ -41076,12 +45938,10 @@ "id": "relationship--73093c08-ea39-4956-8bff-55e15f6630cd", "created": "2023-09-28T20:07:59.785Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:05.863Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -41089,12 +45949,36 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--73856fa4-5abb-4341-bf51-1874cc1e6c26", + "created": "2026-04-22T20:25:39.530Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:25:39.530Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries corrupted the firmware in the Hitachi RTUs resulting in a fault that triggered a reboot loop.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--739e7b8d-57d7-4c1d-8f42-1496606ea666", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos", @@ -41124,12 +46008,10 @@ "id": "relationship--73c358d5-f4ce-4ce5-aa3d-d2ede8aff148", "created": "2024-03-25T20:17:16.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:06.534Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -41139,15 +46021,74 @@ }, { "type": "relationship", - "id": "relationship--740082b7-2411-473a-a59d-4d46cf12f8b5", - "created": "2023-09-29T18:45:01.516Z", + "id": "relationship--73dbe470-0d10-493b-b0ae-241da7dc0b58", + "created": "2026-04-22T17:59:55.913Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-23T16:31:55.578Z", + "description": "Use network intrusion detection/prevention systems to detect and prevent port scans.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", + "target_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--73eaa82f-9ab0-430d-86b8-64ea85b18c91", + "created": "2024-03-28T14:29:46.095Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "FireEye TRITON 2018", + "description": "Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved November 17, 2024.", + "url": "https://web.archive.org/web/20200618231942/https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:05:39.957Z", + "description": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) leveraged [Triton](https://attack.mitre.org/software/S1009) to send unauthorized command messages to the Triconex safety controllers.(Citation: FireEye TRITON 2018)", + "relationship_type": "uses", + "source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--73ed52f4-4a98-47e7-84bf-5eae555d999d", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-28T15:26:01.772Z", + "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--740082b7-2411-473a-a59d-4d46cf12f8b5", + "created": "2023-09-29T18:45:01.516Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:03:06.769Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -41184,12 +46125,10 @@ "id": "relationship--745b5268-f2b3-499c-a6a4-63d7e8667ff7", "created": "2023-09-29T17:57:23.090Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:07.186Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -41197,6 +46136,23 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--74a6f16c-3a23-4cac-8592-fc363960f9df", + "created": "2026-04-22T20:17:57.960Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:17:57.960Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--74b66248-2cb6-46ea-b52c-c7d60c170f3f", @@ -41213,14 +46169,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:03:07.420Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) has the ability to halt or run a program through the TriStation protocol. TsHi.py contains instances of halt and run functions being executed. (Citation: MDudek-ICS)", + "modified": "2026-04-17T16:33:22.188Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) has the ability to halt or run a program through the TriStation protocol. TsHi.py contains instances of halt and run functions being executed.(Citation: MDudek-ICS)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", @@ -41312,12 +46268,10 @@ "id": "relationship--7584e57f-1258-4c47-b18d-99019a586e6c", "created": "2023-09-28T21:16:35.382Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:08.328Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -41330,12 +46284,10 @@ "id": "relationship--758773e3-d23d-44db-b5d3-643cde5b41f1", "created": "2023-09-28T19:45:07.511Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:08.526Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -41348,30 +46300,61 @@ "id": "relationship--758d5818-f919-4a6b-9dc2-a212595a11bd", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:03:08.752Z", - "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", + "modified": "2025-12-24T17:47:04.871Z", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--75911ed1-3cd0-485d-8130-3aae06712f4a", + "created": "2026-04-22T13:48:07.154Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T13:48:07.154Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--75b17842-7614-4c52-9a78-db096f8b653c", + "created": "2025-09-29T21:56:50.121Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-09-29T21:56:50.121Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--75c27f4e-d1e3-490a-9793-a6fc8e326a48", "created": "2023-09-29T17:06:33.098Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:09.180Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", @@ -41384,12 +46367,10 @@ "id": "relationship--75e6adae-06a7-47e9-878e-74ca73004c3b", "created": "2023-09-28T20:30:01.641Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:09.421Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -41402,7 +46383,6 @@ "id": "relationship--75f486d8-c651-40ba-8e2e-81ee6c924ffc", "created": "2025-09-29T21:56:11.885Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -41419,12 +46399,10 @@ "id": "relationship--76537fd7-5782-4a8d-9b54-117b168a4306", "created": "2023-09-29T16:38:51.155Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:09.631Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -41437,7 +46415,6 @@ "id": "relationship--768b6ce0-8b1c-4424-a9e7-ee659a948fa9", "created": "2025-09-24T18:20:40.018Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -41451,15 +46428,30 @@ }, { "type": "relationship", - "id": "relationship--77566f94-5e26-41c9-892f-2f62b395afe7", - "created": "2023-09-28T20:01:43.057Z", + "id": "relationship--76cf41a1-f340-401c-b640-bf7fe5143f56", + "created": "2025-09-29T19:47:36.964Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-09-29T19:47:36.964Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--77566f94-5e26-41c9-892f-2f62b395afe7", + "created": "2023-09-28T20:01:43.057Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:03:10.076Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -41469,15 +46461,30 @@ }, { "type": "relationship", - "id": "relationship--77f3a64d-227d-487f-8484-89007e05b59f", - "created": "2023-09-28T21:16:14.153Z", + "id": "relationship--779d3d69-f079-4bee-b7ac-3d5164b9ec6d", + "created": "2026-04-22T20:23:55.959Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T20:23:55.959Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--77f3a64d-227d-487f-8484-89007e05b59f", + "created": "2023-09-28T21:16:14.153Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:03:10.528Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -41490,12 +46497,10 @@ "id": "relationship--78881a3d-59ad-4fbb-8bd2-69388a068584", "created": "2023-09-29T18:01:45.518Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:10.749Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -41503,30 +46508,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--788a2994-f3fd-4ac4-9ef3-06a72a4e1631", - "created": "2023-09-28T21:09:33.225Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:03:10.979Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--792324b4-064a-430c-8ffc-7f7acd537778", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Symantec", @@ -41551,12 +46537,10 @@ "id": "relationship--79235599-e23f-43cb-9c56-1eb22b7c4664", "created": "2023-09-29T16:38:38.201Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:11.899Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -41564,12 +46548,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--79259f05-a677-4512-bb57-8c3137d303ba", + "created": "2026-04-22T21:41:30.908Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:41:30.908Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--bb553fda-8355-40bc-87c6-5ae25124fa95", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--79324bdd-cdab-4d0a-af60-af1047c1d117", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -41587,12 +46587,10 @@ "id": "relationship--79407d1e-8e16-48c1-939c-ad92f91dd988", "created": "2023-09-29T16:30:19.141Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:12.327Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -41600,6 +46598,23 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--79516dd8-72de-4372-bfce-b7f4a98b98d7", + "created": "2023-09-28T20:11:42.579Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:03:24.426Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--798919d3-df8b-463f-b2be-4c1aa8089384", @@ -41629,12 +46644,10 @@ "id": "relationship--798de2f3-218b-4622-a62c-84e3840d45a6", "created": "2023-09-29T18:00:10.845Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:12.762Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -41644,15 +46657,30 @@ }, { "type": "relationship", - "id": "relationship--79c6d710-baf4-411e-a3f5-9cb8d42b7c19", - "created": "2023-09-29T16:32:22.510Z", + "id": "relationship--799951e5-ab80-4b13-a136-7fbcab4e19af", + "created": "2026-04-22T22:47:57.090Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T22:47:57.090Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--79c6d710-baf4-411e-a3f5-9cb8d42b7c19", + "created": "2023-09-29T16:32:22.510Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:03:12.990Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -41665,7 +46693,6 @@ "id": "relationship--79d05cb2-ded0-4847-b52e-af7af421f303", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Kevin Savage and Branko Spasojevic", @@ -41685,12 +46712,45 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--7a29d34a-08fd-4aeb-8968-22856ad7429a", + "created": "2026-04-22T22:31:56.959Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:31:56.959Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--7a3fbac8-c666-4564-b02a-ea199bbcb2a5", + "created": "2023-09-28T20:31:17.116Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:04:29.670Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--7a55fc66-0d5c-4ef6-af28-d4a4bb84381d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Hydro", @@ -41717,32 +46777,30 @@ }, { "type": "relationship", - "id": "relationship--7aa93b40-80da-4bb6-8a7c-88e5f5e44669", - "created": "2020-09-21T17:59:24.739Z", + "id": "relationship--7ad4a725-8eb7-45b3-bfd7-f9bd29cc5970", + "created": "2023-09-28T20:30:32.778Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:25:57.162Z", - "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "modified": "2025-04-16T23:05:12.007Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--7b1e00af-11fb-4862-a193-55dc9b6652c0", "created": "2023-09-29T16:33:23.456Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:14.317Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -41755,12 +46813,10 @@ "id": "relationship--7b814e39-71fc-4e99-b46f-b24eca6cc780", "created": "2023-09-28T19:45:42.727Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:14.536Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -41777,7 +46833,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--f4f3b9a6-2de0-45a5-8936-2ad9288191b9", "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", @@ -41790,12 +46845,10 @@ "id": "relationship--7b95b2aa-9561-494f-8e02-d36edc14e38b", "created": "2023-09-29T17:39:54.089Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:14.746Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -41808,12 +46861,10 @@ "id": "relationship--7bb1dbec-7314-479a-9496-86f8e25041eb", "created": "2023-09-29T16:40:43.415Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:14.965Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -41826,12 +46877,10 @@ "id": "relationship--7bbe6ac7-d0fb-40e4-8537-bdded7173f07", "created": "2023-09-29T18:49:01.768Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:15.169Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -41844,12 +46893,10 @@ "id": "relationship--7bd46875-7d59-4d65-8f9b-d48d3cb54a84", "created": "2023-09-28T20:07:15.553Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:15.437Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -41862,7 +46909,6 @@ "id": "relationship--7bd6e5e4-6614-41ed-8a84-8eb633a91e07", "created": "2023-03-31T17:45:32.860Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos Crashoverride 2018", @@ -41887,12 +46933,10 @@ "id": "relationship--7be2d11d-87be-4d1c-8f5b-b7e59ad191ea", "created": "2023-09-28T20:07:01.309Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:15.875Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -41938,14 +46982,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:03:16.338Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the CODESYS protocol to download programs to Schneider PLCs.(Citation: Wylie-22)(Citation: Brubaker-Incontroller) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can modified program logic on Omron PLCs using either the program download or backup transfer functions available through the HTTP server.(Citation: Wylie-22) ", + "modified": "2026-04-23T18:48:16.102Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) has used the CODESYS protocol to download programs to Schneider PLCs.(Citation: Wylie-22)(Citation: Brubaker-Incontroller) [INCONTROLLER](https://attack.mitre.org/software/S1045) has also modified program logic on Omron PLCs using either the program download or backup transfer functions available through the HTTP server.(Citation: Wylie-22) ", "relationship_type": "uses", "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", @@ -41969,7 +47013,6 @@ "id": "relationship--7c3b65e8-e8b7-4c3b-b27b-e216986d8976", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", @@ -41994,12 +47037,10 @@ "id": "relationship--7c433b29-0ad3-4574-990f-e3d6291e7f23", "created": "2023-09-29T18:48:29.126Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:17.412Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -42007,12 +47048,36 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--7c7777a0-f96a-414c-b294-e9f0744bf8b8", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:03:33.100Z", + "description": "In [Industroyer](https://attack.mitre.org/software/S0604) the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--7c893581-c847-495a-aa93-9d98c516e1ae", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", @@ -42034,57 +47099,30 @@ }, { "type": "relationship", - "id": "relationship--7cd47eb6-e73a-4a0b-a62e-7e066090b804", - "created": "2024-03-27T19:55:40.243Z", + "id": "relationship--7cfaea56-6125-4aad-a491-ce2f54a88c24", + "created": "2026-04-22T20:42:02.295Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, - "external_references": [ - { - "source_name": "Mandiant-Sandworm-Ukraine-2022", - "description": "Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.", - "url": "https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:03:18.083Z", - "description": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) used the MicroSCADA SCIL-API to specify a set of SCADA instructions, including the sending of unauthorized commands to substation devices.(Citation: Mandiant-Sandworm-Ukraine-2022)", - "relationship_type": "uses", - "source_ref": "campaign--df8eb785-70f8-4300-b444-277ba849083d", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "modified": "2026-04-22T20:42:02.295Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--bb553fda-8355-40bc-87c6-5ae25124fa95", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, - { - "type": "relationship", - "id": "relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-28T15:25:59.368Z", - "description": "Ensure devices have an alternative method for communicating in the event that a valid COM port is unavailable.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--7d42ba22-9595-4463-8dda-c0e47a154fed", "created": "2023-09-28T20:07:48.301Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:18.952Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -42097,43 +47135,23 @@ "id": "relationship--7d5759cd-890e-4ec5-b92b-aba225d52960", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:03:19.166Z", - "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", + "modified": "2025-12-24T17:47:36.339Z", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, - { - "type": "relationship", - "id": "relationship--7d6c4a00-acde-40af-bf91-a4ef009cf135", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:03:19.600Z", - "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", - "relationship_type": "mitigates", - "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--7d752615-33f0-44ed-a156-25d84f384e75", "created": "2023-09-27T14:57:11.627Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Ukraine15 - EISAC - 201603", @@ -42175,12 +47193,10 @@ "id": "relationship--7dd11d5e-1c1c-4f94-b4bf-4fd59988539b", "created": "2024-04-09T20:53:54.209Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:20.498Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -42188,6 +47204,23 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--7de5de32-6f37-4419-97b8-77eb9d69be40", + "created": "2025-09-29T19:02:59.197Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-09-29T19:02:59.197Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--7dedeb73-ef90-4282-a635-cc37326773af", @@ -42214,15 +47247,29 @@ }, { "type": "relationship", - "id": "relationship--7ebee5d3-ce7f-436c-8b4a-087363d6b858", - "created": "2023-09-29T16:32:46.335Z", + "id": "relationship--7e0531c4-fb87-4d66-9595-024a08a71598", + "created": "2026-04-20T20:54:20.734Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-20T20:54:20.734Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--7ebee5d3-ce7f-436c-8b4a-087363d6b858", + "created": "2023-09-29T16:32:46.335Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:03:21.134Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -42235,12 +47282,10 @@ "id": "relationship--7ed1ad67-942a-424e-ad81-8b69a4f0c706", "created": "2023-09-28T20:28:16.122Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:21.376Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -42253,12 +47298,10 @@ "id": "relationship--7efa1a31-da21-4925-aab0-96a012d5b2a7", "created": "2023-09-29T17:43:22.756Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:21.575Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -42266,6 +47309,23 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--7f3ee61b-3ef1-41da-9853-6520a2ea942d", + "created": "2026-04-22T22:52:08.690Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:52:08.690Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--7f520bef-d179-415a-b921-d30ff60d2284", @@ -42275,7 +47335,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--636329e6-32b9-4a71-acf8-ae6d01a6b4ef", "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", @@ -42283,23 +47342,6 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, - { - "type": "relationship", - "id": "relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-28T15:26:01.772Z", - "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451", @@ -42346,7 +47388,6 @@ "id": "relationship--80250a66-dec0-4ef5-8a76-b3aa24fe5bc3", "created": "2025-09-29T19:15:36.610Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -42363,7 +47404,6 @@ "id": "relationship--808174b7-3ab0-45b5-963e-5c10dd749e3c", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -42398,7 +47438,6 @@ "id": "relationship--80a69b56-337d-446a-8167-8b9f63083c4f", "created": "2022-09-28T21:24:21.810Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "CISA-AA22-103A", @@ -42428,12 +47467,10 @@ "id": "relationship--80cf98bd-b7dc-45cf-91a6-4ab6b79a7f0b", "created": "2024-03-25T20:17:49.585Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:23.570Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -42443,15 +47480,48 @@ }, { "type": "relationship", - "id": "relationship--81055366-e78b-40e0-a799-4b536ba03db3", - "created": "2023-09-29T18:45:22.474Z", + "id": "relationship--80d77b53-6aa4-4703-946f-6c7f0748f823", + "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-04-28T15:24:32.756Z", + "description": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--81029694-8a6d-49f5-a053-ee2e29c086c7", + "created": "2026-04-22T22:30:19.729Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:30:19.729Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--81055366-e78b-40e0-a799-4b536ba03db3", + "created": "2023-09-29T18:45:22.474Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:03:23.776Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -42459,60 +47529,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--81352e47-4317-45e3-88b9-a97dd2166727", - "created": "2024-03-28T14:29:05.074Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "FireEye TRITON Dec 2017", - "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework \u201cTRITON\u201d and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018.", - "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:03:24.181Z", - "description": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) downloaded multiple rounds of control logic to the Safety Instrumented System (SIS) controllers through a program append operation.(Citation: FireEye TRITON Dec 2017)", - "relationship_type": "uses", - "source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, - { - "type": "relationship", - "id": "relationship--817ae105-3ddf-4766-9d26-ca1ec3c64eb6", - "created": "2023-09-28T20:11:42.579Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:03:24.426Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--81806f43-c9aa-486e-8032-4e4665ba0d39", "created": "2023-09-29T18:43:13.760Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:24.650Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -42525,12 +47550,10 @@ "id": "relationship--818ce9d0-8fc2-4a34-a062-f0e6995bdf32", "created": "2023-09-28T21:13:00.330Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:24.878Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -42555,12 +47578,63 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--81cd1138-ca48-4c06-8964-3fe007b3593a", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-12-24T17:47:20.456Z", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--81fd1ae0-e3ef-40b7-86d8-89c85fd86100", + "created": "2025-10-21T15:10:28.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-10-21T15:10:28.402Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--c0e6c96d-8605-407a-9bce-628e7853b07f", + "target_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--82810cd2-99e9-4ef6-b3fb-0a7a47d76661", + "created": "2023-09-28T20:06:15.180Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:02:40.318Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--82b20c35-88c6-49aa-8241-a59512b17b74", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", @@ -42587,15 +47661,55 @@ }, { "type": "relationship", - "id": "relationship--83a964cb-730c-44e4-859b-b5246159396b", - "created": "2023-09-29T17:59:43.275Z", + "id": "relationship--8315b50c-08b9-4a9b-b8cf-13bc4d97427f", + "created": "2026-04-22T19:58:17.858Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:20:11.148Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries executed PowerShell commands on the Human Machine Interface (HMI) to make configuration changes that enabled administrative shares and created a new firewall rule to enable traffic over port 445 as well as conducted network reconnaissance activities.(Citation: CERT Polska)\n\nDuring the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries executed PowerShell commands on the domain controller that collected and exfiltrated the SAM and SYSTEM registry hives and the Active Directory database (ntds.dit).(Citation: CERT Polska)\n\nDuring the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries logged into the Mikronika RTUs via SSH, with root privileges, and executed Linux commands to delete all the files on the system resulting in device failure.(Citation: CERT Polska)\n", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--834b1fa4-ee6d-43c7-9e07-1b6a47dee4a2", + "created": "2026-04-22T20:38:34.433Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T20:38:34.433Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--83a964cb-730c-44e4-859b-b5246159396b", + "created": "2023-09-29T17:59:43.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:03:25.998Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -42608,7 +47722,6 @@ "id": "relationship--83c29179-4805-403a-acf5-5151c4d2e556", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", @@ -42633,7 +47746,6 @@ "id": "relationship--83c8c216-7ff7-4bd3-9db4-573469628d95", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Joe Slowik August 2019", @@ -42658,7 +47770,6 @@ "id": "relationship--841ec349-0f4c-43fa-89b8-ef3656497fc9", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", @@ -42697,15 +47808,30 @@ }, { "type": "relationship", - "id": "relationship--84671396-a556-4a5d-9bb9-cac697277371", - "created": "2023-09-29T16:31:12.255Z", + "id": "relationship--8465924f-8201-43c4-bd7c-961215f839d0", + "created": "2026-04-22T16:36:05.760Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T16:36:05.760Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--84671396-a556-4a5d-9bb9-cac697277371", + "created": "2023-09-29T16:31:12.255Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:03:27.313Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -42718,12 +47844,10 @@ "id": "relationship--8474e6ef-39c4-4ecc-ba5a-cbd9b32b5c65", "created": "2023-09-28T21:11:15.610Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:27.552Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -42731,12 +47855,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--847962a8-3dfd-4b8c-81a8-dc8284766109", + "created": "2026-04-23T00:36:51.811Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:36:51.811Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--84b0a0f5-79e6-4e18-a7fe-0a0427911416", "created": "2025-09-29T19:49:31.019Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -42750,15 +47890,30 @@ }, { "type": "relationship", - "id": "relationship--84fa50ff-bb84-4ab6-b759-658c57532c42", - "created": "2023-09-29T16:32:09.319Z", + "id": "relationship--84d9ff92-234f-4b11-a350-fad07941ff3e", + "created": "2023-09-28T20:15:45.244Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-04-16T23:00:59.066Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--84fa50ff-bb84-4ab6-b759-658c57532c42", + "created": "2023-09-29T16:32:09.319Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:03:27.783Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -42771,12 +47926,10 @@ "id": "relationship--84fd1e14-44a8-4eac-9bfc-67b50ea1acf7", "created": "2023-09-29T18:01:32.878Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:28.038Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -42789,12 +47942,10 @@ "id": "relationship--8530c1ea-fe9f-4b04-be34-7404d5e30e75", "created": "2023-09-29T17:59:22.291Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:28.278Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -42807,7 +47958,6 @@ "id": "relationship--856cf76e-5058-41f0-ae71-6cb463fc36c7", "created": "2025-09-24T18:18:02.902Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -42824,7 +47974,6 @@ "id": "relationship--856e18a8-df82-402a-9105-ff4b7e4caf12", "created": "2024-11-20T23:07:17.528Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos FROSTYGOOP 2024", @@ -42849,29 +47998,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--857f7961-1b88-4ec7-8821-25083dc70048", - "created": "2025-09-29T19:02:37.703Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-09-29T19:02:37.703Z", - "relationship_type": "targets", - "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.3.0" - }, { "type": "relationship", "id": "relationship--85b1bbb1-458f-4be3-8bd9-ef0fa23179ee", "created": "2025-09-29T18:57:01.145Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -42888,7 +48019,6 @@ "id": "relationship--86668811-c57b-4aba-860f-22ca4d7b9600", "created": "2025-09-29T19:05:59.118Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -42905,7 +48035,6 @@ "id": "relationship--868db512-b897-4a54-ae56-ac78f6c93a14", "created": "2022-09-28T20:29:18.027Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "CISA-AA22-103A", @@ -42935,12 +48064,10 @@ "id": "relationship--86a8d6aa-beff-4343-a0b2-dd099202b2dc", "created": "2023-09-28T19:58:13.866Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:29.013Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -42950,52 +48077,27 @@ }, { "type": "relationship", - "id": "relationship--86d45e92-80ba-4f97-b3a3-03ad3469658b", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-28T15:26:06.060Z", - "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, - { - "type": "relationship", - "id": "relationship--86e7a6d1-baa5-4a8d-9ba8-302fb0d72f9c", - "created": "2023-09-28T21:09:41.659Z", + "id": "relationship--86d04319-a13e-4105-9def-c659360c4613", + "created": "2026-04-22T20:28:54.853Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:03:29.875Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", - "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "modified": "2026-04-24T19:41:03.866Z", + "description": "Ensure proper network segmentation is followed to protect critical systems and devices.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--86f1655a-db46-4d49-9051-6653da83eb13", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Keith Stouffer May 2015", @@ -43020,37 +48122,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--874752f4-59a2-46e9-ae28-befe0142b223", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", - "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:03:30.532Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) uses a hardcoded password in the WinCC software's database server as one of the mechanisms used to propagate to nearby systems. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--876e4a50-7c73-4733-bad0-e3a701adf059", "created": "2025-09-29T21:58:16.538Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -43062,12 +48138,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--87a546cf-387f-48c6-9b0f-1179af49be88", + "created": "2026-04-22T22:48:12.355Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:48:12.355Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--87c8ab74-576d-4962-b641-0762d374d1e8", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", @@ -43096,7 +48188,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--825106d1-6f44-47a1-b8dd-c3e3b6cecab7", "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", @@ -43113,7 +48204,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--fddbd892-faa2-40e1-b40d-2c6e33c00f14", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", @@ -43123,15 +48213,82 @@ }, { "type": "relationship", - "id": "relationship--88edcf36-a6f2-474f-b9c2-7800b34919a2", - "created": "2023-09-28T21:24:07.864Z", + "id": "relationship--8869fa66-e54f-4c03-8290-a86a0cd0d8d6", + "created": "2026-04-22T13:27:29.300Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T13:27:29.300Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--88c470f0-7214-4a2b-bd35-3c71733ce392", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ESET Research Whitepapers September 2018", + "description": "ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" + }, + { + "source_name": "Intel", + "description": "Intel ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 Intel Hardware-based Security Technologies for Intelligent Retail Devices Retrieved. 2020/09/25 ", + "url": "https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf" + }, + { + "source_name": "N/A", + "description": "N/A Trusted Platform Module (TPM) Summary Retrieved. 2020/09/25 ", + "url": "https://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:26:53.568Z", + "description": "Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology.(Citation: N/A) Move system's root of trust to hardware to prevent tampering with the SPI flash memory.(Citation: ESET Research Whitepapers September 2018) Technologies such as Intel Boot Guard can assist with this.(Citation: Intel)\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--88cadeca-4012-4716-a095-9e1c79e59ec3", + "created": "2023-09-29T16:47:08.696Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:01:50.768Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--88edcf36-a6f2-474f-b9c2-7800b34919a2", + "created": "2023-09-28T21:24:07.864Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:03:31.654Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -43139,12 +48296,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--890ddf20-18a6-4d23-98dd-970478133169", + "created": "2026-04-22T22:35:51.042Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:35:51.042Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--896e91ed-b145-43c2-a4c6-aa768fcb5293", "created": "2025-09-29T19:49:53.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -43161,12 +48334,10 @@ "id": "relationship--897cfc36-4253-4e1e-8825-726dbe9088a2", "created": "2023-09-28T19:55:02.944Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:32.235Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -43174,12 +48345,41 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--898a9eb9-671e-4096-8288-72ffb49e93f3", + "created": "2023-03-30T19:25:53.572Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Industroyer2 Mandiant April 2022", + "description": "Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker. (2022, April 25). INDUSTROYER.V2: Old Malware Learns New Tricks. Retrieved March 30, 2023.", + "url": "https://www.mandiant.com/resources/blog/industroyer-v2-old-malware-new-tricks" + }, + { + "source_name": "Industroyer2 Forescout July 2022", + "description": "Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.", + "url": "https://www.forescout.com/resources/industroyer2-and-incontroller-report/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:02:55.057Z", + "description": "[Industroyer2](https://attack.mitre.org/software/S1072) is capable of sending command messages from the compromised device to target remote stations to open data channels, retrieve the location and values of Information Object Addresses (IOAs), and modify the IO state values through Select Before Operate I/O, Select/Execute, and Invert Default State operations.(Citation: Industroyer2 Mandiant April 2022)(Citation: Industroyer2 Forescout July 2022)", + "relationship_type": "uses", + "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd", "created": "2021-10-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", @@ -43204,7 +48404,6 @@ "id": "relationship--8a3a5d90-a030-479e-b38d-d7d749f327d1", "created": "2025-09-29T19:08:00.768Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -43216,42 +48415,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, - { - "type": "relationship", - "id": "relationship--8a604466-8437-4fe6-b6db-ec8fb05d702a", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:03:33.100Z", - "description": "In [Industroyer](https://attack.mitre.org/software/S0604) the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--8a765743-9caf-4c8a-9c58-6fe2c1993108", "created": "2023-09-29T16:42:43.736Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:33.311Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -43268,7 +48440,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--74b96bd4-dab9-494e-a540-b7c998581fd5", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", @@ -43276,12 +48447,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--8a80c4f3-8f5b-4b22-b2e8-ad472d4df89d", + "created": "2026-04-23T00:37:26.011Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:37:26.011Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--8a86ad59-dff1-46dc-8ffd-3c62b96c6e62", "created": "2023-09-27T14:50:09.612Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", @@ -43306,7 +48493,6 @@ "id": "relationship--8a9fde66-7874-4418-8652-d8a987c0b5df", "created": "2025-09-29T22:05:35.591Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -43318,6 +48504,23 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--8ab684f0-96e1-4a4f-b139-44afd8d093f2", + "created": "2025-09-29T19:08:29.213Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-09-29T19:08:29.213Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--8b17ad46-b0cc-4766-9cae-eba32260d468", @@ -43358,21 +48561,37 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:03:34.317Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) uses TriStations default UDP port, 1502, to communicate with devices. (Citation: MDudek-ICS)", + "modified": "2026-04-17T16:33:42.807Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) uses TriStations default UDP port, 1502, to communicate with devices.(Citation: MDudek-ICS)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--8b303086-8ae7-415b-b46d-16ce814aa94f", + "created": "2026-04-22T16:35:32.349Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:35:32.350Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--8b3f5b8c-789e-4f61-8e5c-fb28f8662d32", "created": "2025-09-24T18:18:43.657Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -43384,12 +48603,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--8b698bb5-5b69-4137-a3d4-f3acf251f87b", + "created": "2026-04-22T16:39:55.588Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:39:55.588Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--8b7403f5-90d2-4d2c-a484-87d29f419a9f", "created": "2023-09-27T14:49:29.987Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", @@ -43416,28 +48651,25 @@ }, { "type": "relationship", - "id": "relationship--8bfeed6a-a0c6-4f11-81b2-f32225c85ac4", - "created": "2023-10-02T20:21:16.665Z", + "id": "relationship--8c03fd0a-646f-4d79-83fc-8ec428191810", + "created": "2026-04-20T20:54:24.019Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:03:35.161Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", - "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "modified": "2026-04-20T20:54:24.019Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--8c523980-7db0-4173-9df4-eba2c36f6655", "created": "2025-09-29T21:59:04.286Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -43454,7 +48686,6 @@ "id": "relationship--8c6fe57d-3344-4fe7-b547-a3c5046960bb", "created": "2025-09-24T18:12:11.580Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -43488,12 +48719,10 @@ "id": "relationship--8ccd5f5c-420a-413b-81ef-5e40f401be95", "created": "2023-09-28T20:31:46.082Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:35.783Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -43501,12 +48730,36 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--8d0793f1-e818-4632-8fb6-8c4aa5c7f073", + "created": "2024-11-20T23:26:28.979Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos FROSTYGOOP 2024", + "description": "Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.", + "url": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:04:07.373Z", + "description": "During [FrostyGoop Incident](https://attack.mitre.org/campaigns/C0041), the adversary initiated a firmware downgrade on impacted devices.(Citation: Dragos FROSTYGOOP 2024)", + "relationship_type": "uses", + "source_ref": "campaign--1169ff24-b35f-4d8d-8cf3-643a2834227f", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--8d0d6365-7bc0-417d-9268-c7c31fcb0d91", "created": "2023-09-27T14:49:48.589Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Ukraine15 - EISAC - 201603", @@ -43535,7 +48788,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--09754c36-7be2-4536-aad2-a6c3568ba0e5", "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", @@ -43545,15 +48797,47 @@ }, { "type": "relationship", - "id": "relationship--8d7e2aa5-129a-4060-88ae-9fc066af13c7", - "created": "2023-09-28T21:25:20.417Z", + "id": "relationship--8d39646f-b224-4209-8c05-15002ea797b9", + "created": "2026-04-23T00:29:36.779Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-23T00:29:36.779Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--8d4d0ce4-ca42-4a05-a959-89d6af2650e2", + "created": "2026-04-22T20:26:41.624Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:26:41.624Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--bb553fda-8355-40bc-87c6-5ae25124fa95", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--8d7e2aa5-129a-4060-88ae-9fc066af13c7", + "created": "2023-09-28T21:25:20.417Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:03:36.191Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -43570,7 +48854,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--2145faf1-28da-4ebc-9730-f2e2a8764ced", "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", @@ -43607,12 +48890,10 @@ "id": "relationship--8ed7e323-578c-4a62-bf32-0bf2fefa872b", "created": "2023-09-29T17:05:44.653Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:37.044Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", @@ -43625,7 +48906,6 @@ "id": "relationship--8f76d408-be8a-478e-8a5a-aab1d1f96572", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", @@ -43650,7 +48930,6 @@ "id": "relationship--8f7ccb2b-de2a-4a5c-9f1e-d5e58e69efa8", "created": "2023-03-30T19:00:57.773Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -43663,6 +48942,24 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--8f7df0c0-9cc3-4322-847d-1f4ec35dfa65", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-28T15:27:06.208Z", + "description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--8f90363e-2825-4178-807f-9268a28760fa", @@ -43680,24 +48977,6 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--8f947e00-2579-4120-a8b0-d466e59fac1a", - "created": "2023-09-28T19:49:25.824Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:03:38.068Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--8fa6fe89-e704-4be4-a15b-50e188084aa3", @@ -43727,6 +49006,7 @@ "id": "relationship--8fcecf74-36df-41ab-9476-539c9ac0b339", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "Department of Homeland Security September 2016", @@ -43737,26 +49017,24 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:26:11.826Z", - "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "modified": "2026-04-23T20:04:07.019Z", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems.(Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--8fe2bc4c-e9f7-430d-84d5-e3d603141dcb", "created": "2023-09-29T17:04:17.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:38.724Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", @@ -43769,7 +49047,6 @@ "id": "relationship--9042b73d-5c10-4797-bace-71e49adeebdf", "created": "2025-09-24T17:55:03.798Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -43786,7 +49063,6 @@ "id": "relationship--90647f03-38a4-4364-a3af-53640a81360e", "created": "2023-03-31T18:11:19.943Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Joe Slowik August 2019", @@ -43813,35 +49089,17 @@ }, { "type": "relationship", - "id": "relationship--908e3fa1-e2b9-475e-b72d-06343a65a3c6", - "created": "2023-09-28T20:04:44.041Z", + "id": "relationship--90d4ef3f-f0d4-40ac-9f63-61242b757a32", + "created": "2026-04-22T16:39:16.222Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:03:39.033Z", - "description": "", + "modified": "2026-04-22T16:39:16.222Z", "relationship_type": "targets", - "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", - "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, - { - "type": "relationship", - "id": "relationship--909fba0a-f075-402f-8791-388ebd76647e", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "description": "", - "relationship_type": "detects", - "source_ref": "x-mitre-detection-strategy--de675cf4-144e-485c-a761-c72ebcb9e2bc", - "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" @@ -43851,7 +49109,6 @@ "id": "relationship--90d9c8e3-0250-4096-8d98-7ca1d324d654", "created": "2021-04-12T10:12:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", @@ -43885,7 +49142,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--89e95503-b02c-43da-90b3-15584b27e6d6", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", @@ -43898,12 +49154,10 @@ "id": "relationship--910bada1-c923-4009-a9ea-da257072f168", "created": "2023-09-29T16:29:27.902Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:39.456Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -43911,6 +49165,40 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--9129c348-431e-45b4-8a7b-7bc71b47732b", + "created": "2026-04-22T21:35:09.040Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:35:09.040Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--91501bcb-896f-4bda-9f97-196145646185", + "created": "2026-04-23T00:30:00.479Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:30:00.479Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--91f29477-2ff6-4dbf-bf68-c8825a938851", @@ -43959,15 +49247,74 @@ }, { "type": "relationship", - "id": "relationship--938ff1d4-acce-4e4e-8a9c-be62799dff8e", - "created": "2023-09-29T17:38:40.536Z", + "id": "relationship--9315cc99-8e64-4bdc-99b9-6c8ab9b1f5ce", + "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-04-28T15:26:58.081Z", + "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--931e05ae-0fc9-4e37-9c88-063b80fd1d61", + "created": "2026-04-22T21:43:35.341Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:04:07.023Z", + "description": "Ensure systems and devices have an alternative method for communicating in the event that communication channels become unavailable.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--93489277-7107-4bad-a9d1-2013ef471905", + "created": "2026-04-23T14:06:34.173Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T14:06:34.173Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) has the ability to perform scans for TCP port 4840 to identify devices running OPC UA servers.(Citation: Wylie-22)", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--938ff1d4-acce-4e4e-8a9c-be62799dff8e", + "created": "2023-09-29T17:38:40.536Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:03:40.317Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -43980,7 +49327,6 @@ "id": "relationship--9397e373-3be0-4229-b390-fd5ed0482999", "created": "2025-09-24T18:13:57.178Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -43997,12 +49343,10 @@ "id": "relationship--93c336f2-7e7c-4c79-af16-faae03e66121", "created": "2023-09-29T18:44:09.293Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:40.516Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -44010,42 +49354,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--93e24e03-6425-4ee8-99bb-c3a662c6cdce", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "DHS CISA February 2019", - "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", - "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:03:40.724Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) is able to read, write and execute code in memory on the safety controller at an arbitrary address within the devices firmware region. This allows the malware to make changes to the running firmware in memory and modify how the device operates. (Citation: DHS CISA February 2019)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--943a9a5c-7826-451d-ac73-34353ea40595", "created": "2023-09-29T16:33:36.496Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:40.934Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -44058,7 +49375,6 @@ "id": "relationship--94654460-b115-4056-beb1-e982ed33437b", "created": "2023-03-30T18:59:46.674Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Keith Stouffer May 2015", @@ -44088,7 +49404,6 @@ "id": "relationship--9515f24c-1c33-4197-b9c9-b9992bc696ca", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", @@ -44113,12 +49428,10 @@ "id": "relationship--9537d9c9-ba0d-42d9-b97d-3b28bfe265e6", "created": "2024-04-09T20:47:47.280Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:42.019Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -44128,28 +49441,52 @@ }, { "type": "relationship", - "id": "relationship--956bbc7f-82c2-4097-8b7b-1e9d732c532d", - "created": "2023-09-28T20:17:07.288Z", + "id": "relationship--954fc7ef-7e8a-446c-82d1-9798d8c00fbe", + "created": "2026-04-22T20:00:48.737Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:20:26.797Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used valid accounts to access Hitatchi RTUs, Mikronika RTUs, Hitachi Relion Protection and Control Relays, Mikronika HMI Computers, and Moxa NPort Serial Device Servers.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--962128bd-13b9-48a6-a4c8-3f07104a962f", + "created": "2026-04-22T16:07:15.471Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:03:42.230Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", - "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "modified": "2026-04-23T15:53:41.931Z", + "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--966b59c0-8641-432c-84f7-b2a712004d74", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", @@ -44191,12 +49528,10 @@ "id": "relationship--968fd463-fec4-4b2d-b3c9-950d8471b9a8", "created": "2023-09-28T20:25:30.229Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:42.947Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -44204,12 +49539,27 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--9700cbbe-4107-4c4f-b6df-32b9048e370a", + "created": "2026-04-20T20:54:21.238Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:21.238Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--973f5884-a076-413e-ac96-f0bd01375fb6", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -44227,7 +49577,6 @@ "id": "relationship--97756c8a-b702-472b-8d67-15464a73093e", "created": "2023-09-27T14:56:28.962Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", @@ -44274,12 +49623,10 @@ "id": "relationship--97e20860-29d9-4738-a9a8-6cc3e4db23f1", "created": "2023-09-29T16:40:54.250Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:44.374Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -44292,12 +49639,10 @@ "id": "relationship--97f42cef-bc2a-47c5-b408-8e38aab4030e", "created": "2023-09-29T16:41:32.631Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:44.581Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -44310,12 +49655,10 @@ "id": "relationship--97f863d7-e68a-4cc8-ab3b-a7e9a1cc2319", "created": "2023-09-29T18:47:52.800Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:44.807Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -44325,15 +49668,30 @@ }, { "type": "relationship", - "id": "relationship--982d0b4f-274a-4738-9262-57fc80d468f9", - "created": "2024-03-26T15:41:51.806Z", + "id": "relationship--98288d43-50ca-4720-a5e4-f76f07e9f7cd", + "created": "2026-04-22T22:49:14.057Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T22:49:14.057Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--982d0b4f-274a-4738-9262-57fc80d468f9", + "created": "2024-03-26T15:41:51.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:03:45.001Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -44350,7 +49708,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--519082ce-24ab-4f6b-9e86-b9443758c9d4", "target_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91", @@ -44380,7 +49737,6 @@ "id": "relationship--984d517f-56a1-4eb4-95e5-994eb9c6c3b5", "created": "2024-03-27T20:46:21.569Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Mandiant-Sandworm-Ukraine-2022", @@ -44405,7 +49761,6 @@ "id": "relationship--98567b03-7421-4761-8caa-cbea82d89fe3", "created": "2024-03-26T15:40:06.457Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -44423,7 +49778,6 @@ "id": "relationship--9897bb19-d5bb-4c43-9415-983ba5c5bbe5", "created": "2025-09-29T19:52:11.047Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -44435,6 +49789,41 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--98d7d238-3473-4e3c-adc0-3c8d33341466", + "created": "2026-04-23T00:26:22.850Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:31:30.672Z", + "description": "ll field controllers should restrict the download of programs, including online edits and program appends, to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--98e109ce-29d8-4711-91c1-a6322b20bd3a", + "created": "2026-04-22T20:16:47.589Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:16:47.589Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5", @@ -44461,7 +49850,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--442bf059-f7cf-460b-8200-f35e1e0a0c78", "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", @@ -44474,7 +49862,6 @@ "id": "relationship--9902691c-aaf2-48a1-b1ca-cd6f652ae1c6", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", @@ -44499,7 +49886,6 @@ "id": "relationship--990f944f-190d-456d-b194-f5ecb17a0868", "created": "2019-06-24T17:20:24.258Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Catalin Cimpanu April 2016", @@ -44524,12 +49910,10 @@ "id": "relationship--9951eb11-8140-420d-8e2d-56fbe0ff0134", "created": "2023-09-29T18:03:23.576Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:46.711Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -44537,6 +49921,23 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--99d2eeab-8ace-41c9-b47d-4058dd906136", + "created": "2023-09-28T20:10:55.590Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:05:30.721Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--99ec0a8e-4a4f-427c-89db-163e4b206021", @@ -44566,12 +49967,10 @@ "id": "relationship--99f84b91-32a1-4ade-8de5-5d2a0359302f", "created": "2023-09-28T19:56:54.642Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:47.341Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -44579,42 +49978,6 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--99fa6d92-0c41-44ed-bd30-dd0413785883", - "created": "2023-09-29T18:43:23.321Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:03:47.537Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", - "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, - { - "type": "relationship", - "id": "relationship--9a3e771d-d84f-4f2a-baf9-4478abdbdbcf", - "created": "2023-09-28T20:04:32.626Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:03:47.761Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886", @@ -44637,7 +50000,6 @@ "id": "relationship--9a55e351-d3b7-460a-9a9d-6714c00db5f0", "created": "2024-03-25T19:59:09.628Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "CISA AA23-335A IRGC-Affiliated December 2023", @@ -44674,12 +50036,36 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--9aacca46-bf65-4247-b14c-65359d1b47db", + "created": "2026-04-23T00:40:25.161Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T20:10:03.995Z", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.(Citation: Department of Homeland Security September 2016)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--9abf0914-2508-4717-9f1a-8f209c2d20a3", "created": "2025-09-24T17:55:33.001Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -44696,12 +50082,10 @@ "id": "relationship--9b0b3c25-d87c-452a-a2f9-241234410eb8", "created": "2023-09-29T18:58:05.958Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:48.878Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", @@ -44726,12 +50110,54 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--9b7bc0f3-c7cf-47e4-a3ed-0f91e01831ca", + "created": "2026-04-23T00:06:49.258Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T20:07:18.485Z", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems.(Citation: Department of Homeland Security September 2016)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--9b802cf9-03e4-414f-af09-fc108e96839c", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-28T15:25:19.555Z", + "description": "Devices should verify that firmware has been properly signed by the vendor before allowing installation.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--9b825e77-2b18-4bc8-8e1d-5f645d570dca", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos Xenotime 2018", @@ -44753,21 +50179,21 @@ }, { "type": "relationship", - "id": "relationship--9ba76ea3-9ebb-49d7-803a-5cf2deef6875", - "created": "2023-09-28T19:37:35.485Z", + "id": "relationship--9ba6c904-d1bd-46dd-95fb-6da58333fa40", + "created": "2026-04-22T13:57:38.576Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:03:49.479Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "modified": "2026-04-23T15:35:41.060Z", + "description": "Devices should authenticate all messages between master and outstation assets.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", @@ -44778,7 +50204,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--58b4bda4-d69a-4a20-ab67-308c4451a5e8", "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", @@ -44786,35 +50211,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, - { - "type": "relationship", - "id": "relationship--9c0db354-c2d6-4db0-bb76-35ae66c01dd1", - "created": "2023-09-28T20:11:52.625Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:03:49.669Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--9c23121e-14bb-4382-b54d-2ea02a2815b5", "created": "2023-09-28T19:59:44.009Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:49.859Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -44827,7 +50232,6 @@ "id": "relationship--9ca97ea4-faf6-484c-bccf-311c282bed02", "created": "2025-09-29T21:57:09.083Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -44868,7 +50272,6 @@ "id": "relationship--9ce25235-ad56-4158-a392-31ef70b10c2a", "created": "2025-09-29T19:52:49.261Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -44882,27 +50285,78 @@ }, { "type": "relationship", - "id": "relationship--9d5e2e86-8499-4051-93fc-c959ff1b6577", - "created": "2025-09-24T18:22:30.026Z", + "id": "relationship--9cfee66a-96e2-4dd9-b046-19f3562b3112", + "created": "2023-09-28T21:17:32.313Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-09-24T18:22:30.026Z", + "modified": "2025-04-16T23:04:10.410Z", "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "source_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--9d10209f-077c-4d25-87e9-c1ea423a528f", + "created": "2026-04-22T20:19:16.164Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:19:16.164Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", "target_ref": "x-mitre-asset--bb141168-ae41-4974-8ece-dc9b63e59237", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--9d463aef-aa70-4375-9ed3-4b0387ba70e6", + "created": "2026-04-23T00:38:38.695Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:31:43.196Z", + "description": "ll field controllers should restrict the download of programs, including online edits and program appends, to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--9d69d936-58a0-4453-8424-40fcc7bc2e1c", + "created": "2023-09-29T17:05:20.132Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:05:31.104Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--9d6f9bba-dd79-4cb6-a0f3-1284e58a6236", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", @@ -44927,7 +50381,6 @@ "id": "relationship--9db1ecfe-72eb-42da-a09e-746663a53854", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "MDudek-ICS", @@ -44949,15 +50402,30 @@ }, { "type": "relationship", - "id": "relationship--9e98d88c-4138-4d0e-8db0-cddf956ab500", - "created": "2023-09-29T18:07:28.902Z", + "id": "relationship--9e44709f-7068-4a2e-935b-44b309b76acd", + "created": "2023-09-28T21:11:29.314Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-04-16T23:04:56.117Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--9e98d88c-4138-4d0e-8db0-cddf956ab500", + "created": "2023-09-29T18:07:28.902Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:03:52.125Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -44970,7 +50438,6 @@ "id": "relationship--9f07c92a-78a0-438a-8cb2-01e2bddaeb42", "created": "2021-01-04T21:30:14.830Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "ESET Industroyer", @@ -45015,12 +50482,10 @@ "id": "relationship--9f2926a2-596f-459e-827e-6fe2d4646efd", "created": "2023-09-29T18:06:46.756Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:52.641Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -45033,7 +50498,6 @@ "id": "relationship--9f2f9cba-b7fc-45cb-8e66-e2f8f99ebe35", "created": "2025-09-29T19:01:58.777Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -45050,7 +50514,6 @@ "id": "relationship--9f43126d-5f6c-42a9-9908-49175c27ead7", "created": "2023-03-30T19:27:26.398Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Industroyer2 ESET April 2022", @@ -45080,12 +50543,10 @@ "id": "relationship--9fa6797f-f2cb-4b93-b8eb-f40936e967f3", "created": "2023-09-28T21:12:14.470Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:52.949Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -45093,67 +50554,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:03:53.161Z", - "description": "Using its protocol payloads, [Industroyer](https://attack.mitre.org/software/S0604) sends unauthorized commands to RTUs to change the state of equipment. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, - { - "type": "relationship", - "id": "relationship--9fb8c8ab-67de-42df-a82d-b6e45b82d949", - "created": "2023-09-27T14:48:40.533Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Ukraine15 - EISAC - 201603", - "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", - "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:03:53.416Z", - "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked reporting messages by using malicious firmware to render serial-to-ethernet converters inoperable. (Citation: Ukraine15 - EISAC - 201603)", - "relationship_type": "uses", - "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--9ffbf620-8e1f-4542-a271-9a3692db9a47", "created": "2023-09-28T20:04:19.147Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:53.610Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -45166,7 +50575,6 @@ "id": "relationship--a0151b8f-30ee-49da-8365-17f34eab0825", "created": "2025-09-24T18:23:29.097Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -45178,12 +50586,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--a016cddb-5cd8-485b-a207-9860e9ec0a02", + "created": "2026-04-23T00:02:30.922Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:02:30.922Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--a04169ed-c16b-466b-80ef-22a11067f475", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", @@ -45203,6 +50627,41 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--a05f4a7a-eebb-463a-97e6-1088b94fa78b", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-28T15:25:44.887Z", + "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--a07f265e-e04e-496c-b1bd-65f57b85a491", + "created": "2023-09-29T16:40:30.440Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:04:11.511Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2", @@ -45249,12 +50708,10 @@ "id": "relationship--a15d718f-af30-4745-a837-887ba8f48727", "created": "2023-09-29T16:30:46.705Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:54.855Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -45267,7 +50724,6 @@ "id": "relationship--a1cbbdb5-30ad-4139-9784-e5a134f8d405", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos Inc. June 2017", @@ -45292,12 +50748,10 @@ "id": "relationship--a1d2df14-6f44-44ac-99c2-3e3f55f53476", "created": "2023-09-29T16:43:16.472Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:55.269Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -45310,12 +50764,10 @@ "id": "relationship--a1d99bbc-8d7c-4263-a909-95a9507b43c3", "created": "2023-09-29T16:28:17.629Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:55.467Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -45323,6 +50775,24 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--a1e6b6f0-b13c-48a0-b62d-12dfb80112ad", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-28T15:25:15.857Z", + "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--a20bde51-3ed9-4306-92cd-f4f12d3aa8aa", @@ -45332,7 +50802,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--f1a7e304-d05f-4e48-89b7-8b034f507c32", "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", @@ -45345,12 +50814,10 @@ "id": "relationship--a221bbb3-5f4f-4879-ae1d-37e8d3022039", "created": "2023-09-28T21:16:05.517Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:55.878Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -45384,15 +50851,31 @@ }, { "type": "relationship", - "id": "relationship--a23aefa6-15f5-481c-ac3d-09b8e4b3003b", - "created": "2023-09-29T16:44:03.912Z", + "id": "relationship--a23297f1-58b9-48f4-8289-e81c34d9a522", + "created": "2026-04-23T00:05:58.225Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-23T17:35:02.270Z", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--a23aefa6-15f5-481c-ac3d-09b8e4b3003b", + "created": "2023-09-29T16:44:03.912Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:03:56.284Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -45405,12 +50888,10 @@ "id": "relationship--a287bc05-20cb-4476-ba1f-15bfde6e601d", "created": "2023-09-29T18:04:05.993Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:56.481Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -45423,12 +50904,10 @@ "id": "relationship--a2f0b9ba-2d6e-43a5-adca-3ec42dba5ce9", "created": "2023-09-29T16:36:28.818Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:56.945Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -45436,6 +50915,23 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--a31d48c1-785e-4587-a102-d910054143fb", + "created": "2025-09-24T18:22:30.026Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-09-24T18:22:30.026Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "target_ref": "x-mitre-asset--bb141168-ae41-4974-8ece-dc9b63e59237", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--a3447ec8-3224-4485-9324-cdc77231aaa5", @@ -45445,7 +50941,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--930b268b-abf0-485f-9854-60c1cfdd2d33", "target_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d", @@ -45458,7 +50953,6 @@ "id": "relationship--a36492bd-175a-4c39-9c56-32d06660dd05", "created": "2025-09-29T19:08:51.819Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -45472,15 +50966,83 @@ }, { "type": "relationship", - "id": "relationship--a3f258ea-6d4d-4b0e-8ff2-b91f49dfd4d7", - "created": "2023-09-29T16:39:54.248Z", + "id": "relationship--a3971be9-7bef-4663-b6c3-3cffc418f76b", + "created": "2026-04-22T16:08:28.721Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-23T15:54:12.470Z", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--a3c8ede9-78d4-49c0-b1f2-16257c940189", + "created": "2026-04-22T22:51:49.356Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:51:49.356Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--a3df8609-d9c4-4ef0-9a58-8d7155fba4f7", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-28T15:24:55.506Z", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--a3f1ae82-b279-41ec-828e-40e969c7b165", + "created": "2023-09-29T18:07:09.213Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:04:35.331Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--a3f258ea-6d4d-4b0e-8ff2-b91f49dfd4d7", + "created": "2023-09-29T16:39:54.248Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:03:57.163Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -45490,33 +51052,48 @@ }, { "type": "relationship", - "id": "relationship--a45cec05-2d81-4db1-9267-db8be498e0d2", - "created": "2023-09-29T16:46:50.699Z", + "id": "relationship--a3fb7c3c-7064-43d2-849c-2a5893583de9", + "created": "2026-04-22T22:37:55.075Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:03:57.362Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "modified": "2026-04-23T17:17:29.121Z", + "description": "Segment operational networks to isolate critical systems and devices that do not require broad network access.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--a43e516e-603f-4863-a315-17c998b2f6f8", + "created": "2026-04-22T13:29:01.989Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T13:29:01.989Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--a466d5b4-39f0-48c1-9a19-f006dc4cb0ac", "created": "2023-09-29T17:40:58.726Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:57.565Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -45526,68 +51103,30 @@ }, { "type": "relationship", - "id": "relationship--a46f722e-4399-4aa6-b0a9-61fae9d0bf63", - "created": "2023-09-29T17:57:44.978Z", + "id": "relationship--a48f58bc-4119-4399-b7d1-7e44b867399d", + "created": "2026-04-22T16:38:52.943Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:03:57.777Z", - "description": "", + "modified": "2026-04-22T16:38:52.943Z", "relationship_type": "targets", - "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, - { - "type": "relationship", - "id": "relationship--a47cd7b9-2b73-480c-a8ab-2dfa908e02ea", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "ESET Research Whitepapers September 2018", - "description": "ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" - }, - { - "source_name": "Intel", - "description": "Intel ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 Intel Hardware-based Security Technologies for Intelligent Retail Devices Retrieved. 2020/09/25 ", - "url": "https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf" - }, - { - "source_name": "N/A", - "description": "N/A Trusted Platform Module (TPM) Summary Retrieved. 2020/09/25 ", - "url": "https://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:03:57.968Z", - "description": "Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. (Citation: N/A) Move system's root of trust to hardware to prevent tampering with the SPI flash memory. (Citation: ESET Research Whitepapers September 2018) Technologies such as Intel Boot Guard can assist with this. (Citation: Intel)\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--a4c64fbc-bac4-44b8-ba52-8fcfa3f674e5", "created": "2023-09-29T17:40:08.922Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:58.166Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -45600,7 +51139,6 @@ "id": "relationship--a4c81fe6-1ad9-4bba-a415-a3c099eaa2be", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", @@ -45620,12 +51158,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--a4da9bf3-d9da-4bc3-bb59-a5d17fa53b20", + "created": "2026-04-22T20:46:51.429Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:46:51.429Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--56bf71a3-a28b-4a8f-84ed-3a71449d47c0", + "target_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--a4e9cd0c-75aa-47ec-9fdc-ad9dd8935af2", "created": "2025-09-29T19:07:27.830Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -45642,7 +51196,6 @@ "id": "relationship--a57b233b-6613-4f78-aa48-e85518aaa7cf", "created": "2023-09-27T14:45:26.126Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", @@ -45667,12 +51220,64 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--a5b4b91c-0f68-4b88-bd6f-ab226ae9b5f0", + "created": "2026-04-22T22:21:44.462Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "LockerGoga Revisited", + "description": "Joe Slowik. (2020, March 17). Spyware Stealer Locker Wiper: LockerGoga Revisited. Retrieved April 22, 2026.", + "url": "https://www.dragos.com/blog/industry-news/spyware-stealer-locker-wiper-lockergoga-revisited/" + }, + { + "source_name": "Kevin Beaumont", + "description": "Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ", + "url": "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880" + }, + { + "source_name": "Detecting LockerGoga", + "description": "Oleg Kolesnikov and Harshvardhan Parashar. (2019, April 30). Detecting LockerGoga Targeted IT/OT Cyber Sabotage/Ransomware Attacks. Retrieved April 22, 2026.", + "url": "https://www.securonix.com/wp-content/uploads/2021/07/Securonix-Threat-Research-Report-Detecting-LockerGoga.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T18:39:02.307Z", + "description": "[LockerGoga](https://attack.mitre.org/software/S0372) has disabled all the network interfaces on the system via netsh.exe to include Wi-Fi.(Citation: LockerGoga Revisited)(Citation: Kevin Beaumont)(Citation: Detecting LockerGoga)", + "relationship_type": "uses", + "source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", + "target_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--a61fa979-f701-4dbe-b040-397b152ac14f", + "created": "2026-04-23T00:37:53.519Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T20:09:02.705Z", + "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--a6277ff6-9cdf-484f-a902-3f9442039905", "created": "2024-09-11T22:55:18.833Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Claroty Fuxnet 2024", @@ -45697,7 +51302,6 @@ "id": "relationship--a6479493-6154-408f-90df-9d2f3ae352d1", "created": "2023-03-31T17:46:01.470Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos Crashoverride 2018", @@ -45722,7 +51326,6 @@ "id": "relationship--a6519c11-e9d4-4b6f-8d92-8efaa2144c28", "created": "2021-04-13T12:28:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Davey Winder June 2020", @@ -45742,29 +51345,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--a66c4662-0998-418e-9605-eae7d8dbb69d", - "created": "2025-09-29T19:02:48.640Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-09-29T19:02:48.640Z", - "relationship_type": "targets", - "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", - "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.3.0" - }, { "type": "relationship", "id": "relationship--a6d8b66d-fc10-404f-b0ae-e8c66506b818", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", @@ -45793,7 +51378,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--441ded70-7e25-47f1-b55c-0fafb7d4f44c", "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", @@ -45806,12 +51390,10 @@ "id": "relationship--a6e9bbe1-3e59-45c0-987a-b5354d602dc7", "created": "2023-09-29T17:05:56.185Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:59.902Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", @@ -45819,12 +51401,29 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--a6ebd61b-7845-4694-9860-2e8998f2841f", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-28T15:26:50.282Z", + "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--a717ccc7-0fe6-4a83-951f-5a89037ed927", "created": "2023-03-30T14:08:06.442Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Department of Homeland Security October 2009", @@ -45849,12 +51448,10 @@ "id": "relationship--a72c212f-6d4f-4c5d-873d-afa42021024c", "created": "2024-03-26T15:42:10.203Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:00.313Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -45864,44 +51461,36 @@ }, { "type": "relationship", - "id": "relationship--a74c14e2-eb8a-47bb-b64d-20aad9154297", - "created": "2020-09-21T17:59:24.739Z", + "id": "relationship--a7333752-af0d-42e0-88e5-7c1134e6e6c8", + "created": "2026-04-20T20:54:25.517Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:26:25.553Z", - "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "modified": "2026-04-20T20:54:25.517Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", - "id": "relationship--a75ddacf-e87e-4a99-83f2-618486473163", - "created": "2020-09-21T17:59:24.739Z", + "id": "relationship--a7649bd4-5b10-4d55-adaf-228e31472dff", + "created": "2023-09-28T21:23:01.421Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:26:25.760Z", - "description": "Patch the BIOS and EFI as necessary.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "modified": "2025-04-16T23:05:25.902Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", @@ -45929,15 +51518,30 @@ }, { "type": "relationship", - "id": "relationship--a7a2790e-d5ba-4a46-bde3-c698c6ae52ac", - "created": "2023-09-28T19:41:16.927Z", + "id": "relationship--a78fc081-051a-45ca-91c2-c3f29325cbf2", + "created": "2026-04-22T13:53:34.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T13:53:34.402Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--a7a2790e-d5ba-4a46-bde3-c698c6ae52ac", + "created": "2023-09-28T19:41:16.927Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:04:01.326Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -45950,7 +51554,6 @@ "id": "relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -45980,29 +51583,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--a83e4676-2b9e-4b9d-bb21-f493f3ee3bbf", - "created": "2025-10-21T15:10:28.402Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-10-21T15:10:28.402Z", - "description": "", - "relationship_type": "detects", - "source_ref": "x-mitre-detection-strategy--c0e6c96d-8605-407a-9bce-628e7853b07f", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.3.0" - }, { "type": "relationship", "id": "relationship--a846dbe5-9ef3-4fb6-93d5-f764671a75c8", "created": "2021-04-11T14:06:54.109Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "ICS CERT September 2018", @@ -46053,15 +51638,30 @@ }, { "type": "relationship", - "id": "relationship--a84dd2f5-d4f4-44c1-ba51-4804f40576e1", - "created": "2023-09-28T20:28:27.970Z", + "id": "relationship--a849d434-a070-43ff-a73f-49ff616ad865", + "created": "2026-04-22T22:34:32.303Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T22:34:32.303Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--a84dd2f5-d4f4-44c1-ba51-4804f40576e1", + "created": "2023-09-28T20:28:27.970Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:04:03.314Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -46069,6 +51669,24 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--a8563939-14f9-4790-a8bb-6e984e3ad7ac", + "created": "2026-04-23T00:07:07.724Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:38:22.928Z", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--a86cee0a-dc49-4c95-b5dc-37405337490b", @@ -46091,7 +51709,6 @@ "id": "relationship--a873cbaa-04c1-4402-a8d1-683cc7b1ac85", "created": "2025-09-29T19:45:58.559Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -46103,12 +51720,29 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--a8f136ed-4ab7-4dbc-ba22-db57ace5ed6e", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-28T15:26:59.142Z", + "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--a91002fe-21b2-4417-9c23-af712a7a035c", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -46126,12 +51760,10 @@ "id": "relationship--a91295dc-b381-4dc9-9384-9f9949066778", "created": "2023-09-29T18:42:18.446Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:03.935Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -46144,7 +51776,6 @@ "id": "relationship--a918d944-e50b-4b2c-9b77-6e28afe68607", "created": "2025-09-29T21:58:43.655Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -46161,12 +51792,10 @@ "id": "relationship--a93ba793-24dd-47dd-b32c-4c3016124c90", "created": "2023-09-29T18:43:02.969Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:04.140Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -46179,7 +51808,6 @@ "id": "relationship--a946c9b1-5b89-44c9-b617-3412ffda34b9", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "MDudek-ICS", @@ -46199,6 +51827,41 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--a97c2f8c-c7c9-423f-8679-a58c11f8d409", + "created": "2026-04-22T22:37:05.299Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:37:05.299Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--a99cb0b8-4ac0-4712-850a-3aac16f87520", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-28T15:25:57.162Z", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--a9dd70c2-2f54-4b19-85df-df11cbeb0dbd", @@ -46208,7 +51871,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--b25c4621-5d38-43ee-871e-0e5c02f2f48c", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", @@ -46216,17 +51878,40 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--aa444531-fa05-4bb4-a23e-8ac133781131", + "created": "2026-04-22T17:27:46.121Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", + "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T13:42:51.920Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--354ca909-b54d-4c41-b597-9c296b344a43", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--aa7a0f45-e027-4d79-8413-5d807f44c1ba", "created": "2023-09-29T17:42:56.284Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:04.996Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -46234,12 +51919,41 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--aabf71ab-4121-4e3e-888d-cc16d2133846", + "created": "2024-03-25T20:05:52.868Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CISA AA23-335A IRGC-Affiliated December 2023", + "description": "DHS/CISA. (2023, December 1). IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities. Retrieved March 25, 2024.", + "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a" + }, + { + "source_name": "CISA Unitronics November 2023", + "description": "DHS/CISA. (2023, November 28). Exploitation of Unitronics PLCs used in Water and Wastewater Systems. Retrieved March 25, 2024.", + "url": "https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:01:21.720Z", + "description": "During the [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031), the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) discovered and exploited default credentials found on many Unitronics [Programmable Logic Controller (PLC)](https://attack.mitre.org/assets/A0003) [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002). For many of these devices, the default password was set to \u20181111\u2019.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)(Citation: CISA Unitronics November 2023)", + "relationship_type": "uses", + "source_ref": "campaign--8fda050f-470d-4401-994e-35c1a6c301de", + "target_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--ab306654-2abb-4983-8d30-df4058adb06c", "created": "2021-04-12T18:49:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Selena Larson, Camille Singleton December 2020", @@ -46259,24 +51973,6 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--ab5c9a38-3140-43b6-bcf4-6197a116cd0b", - "created": "2023-09-29T17:37:50.048Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:04:06.042Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--ab60fe4a-5860-410a-8bca-2cdbea95e5f8", @@ -46306,12 +52002,10 @@ "id": "relationship--ab844cd2-0f56-44f9-9838-cd5f04d75f3e", "created": "2023-09-29T17:37:16.719Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:06.487Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -46324,12 +52018,10 @@ "id": "relationship--ab8bf0a3-0eef-4364-a3f9-f6ab6222afed", "created": "2023-09-28T19:41:30.623Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:06.728Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -46342,7 +52034,6 @@ "id": "relationship--ab8e129c-5411-4784-9194-068fa915da23", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov", @@ -46367,12 +52058,10 @@ "id": "relationship--ac63d227-ff8a-43b8-81ef-ec4c046c4291", "created": "2023-10-02T20:20:19.426Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:07.145Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", @@ -46382,71 +52071,45 @@ }, { "type": "relationship", - "id": "relationship--ac7b64c8-cac9-4efb-990e-eed5e7fb35ee", - "created": "2024-11-20T23:26:28.979Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos FROSTYGOOP 2024", - "description": "Mark Graham, Carolyn Ahlers, Kyle O'Meara; Dragos. (2024, July). Impact of FrostyGoop ICS Malware on Connected OT Systems. Retrieved November 20, 2024.", - "url": "https://hub.dragos.com/hubfs/Reports/Dragos-FrostyGoop-ICS-Malware-Intel-Brief-0724_r2.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:04:07.373Z", - "description": "During [FrostyGoop Incident](https://attack.mitre.org/campaigns/C0041), the adversary initiated a firmware downgrade on impacted devices.(Citation: Dragos FROSTYGOOP 2024)", - "relationship_type": "uses", - "source_ref": "campaign--1169ff24-b35f-4d8d-8cf3-643a2834227f", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, - { - "type": "relationship", - "id": "relationship--ac933d76-8207-4bf7-add2-92b60cf3044b", - "created": "2023-09-28T20:04:54.213Z", + "id": "relationship--ac7a74a9-7e1d-49d2-b1d8-0f0712fd578f", + "created": "2023-09-28T20:31:31.498Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:04:07.564Z", - "description": "", + "modified": "2025-04-16T23:05:32.996Z", "relationship_type": "targets", - "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "source_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", - "id": "relationship--acace658-da7e-4a19-aa98-8aec8c966dde", - "created": "2023-09-27T14:53:03.323Z", + "id": "relationship--ac8d2d28-5fdc-44d6-9e5a-8e5560b3f91f", + "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Ukraine15 - EISAC - 201603", - "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", - "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:04:07.778Z", - "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) issued unauthorized commands to substation breaks after gaining control of operator workstations and accessing a distribution management system (DMS) application. (Citation: Ukraine15 - EISAC - 201603)", - "relationship_type": "uses", - "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "modified": "2026-04-23T19:13:21.882Z", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems.(Citation: Department of Homeland Security September 2016)\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", @@ -46457,7 +52120,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--887ae691-a519-4b68-af26-bcea1483cef7", "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", @@ -46465,12 +52127,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--acc646be-70db-48c0-9504-25ad122ddb40", + "created": "2026-04-22T22:33:32.825Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:33:32.825Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--acd320fb-8c30-48d4-8ca0-c5379e0998fc", "created": "2025-09-29T19:15:47.679Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -46491,7 +52169,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--d9469edc-7e55-41bc-8b17-a8db9fc6302e", "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", @@ -46499,6 +52176,23 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--ad3774f0-d286-4315-95db-a3a78752ef3b", + "created": "2026-04-22T22:36:26.116Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:36:26.116Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--bb553fda-8355-40bc-87c6-5ae25124fa95", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--ad7770c3-fe24-4285-9ce2-1616a1061472", @@ -46552,12 +52246,10 @@ "id": "relationship--adb41ca8-7d2a-4025-b673-db44c9e1f16b", "created": "2023-09-28T21:12:39.257Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:08.481Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -46570,7 +52262,6 @@ "id": "relationship--adc6a1fa-c265-481f-8cde-f28a30873682", "created": "2025-09-24T18:19:51.177Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -46604,7 +52295,6 @@ "id": "relationship--adf2072c-0341-4fc2-9d25-495b4af864e9", "created": "2023-03-10T20:09:22.370Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Marshall Abrams July 2008", @@ -46624,6 +52314,49 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--adf230b9-b622-473e-b7f4-6ea2dd13ab43", + "created": "2026-04-23T00:22:56.882Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "FireEye TRITON Dec 2017", + "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework \u201cTRITON\u201d and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:22:56.882Z", + "description": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) downloaded multiple rounds of control logic to the Safety Instrumented System (SIS) controllers through a program append operation.(Citation: FireEye TRITON Dec 2017)", + "relationship_type": "uses", + "source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf", + "target_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--ae0b459d-535d-4895-ac9f-6ec0518afe00", + "created": "2026-04-22T16:32:26.132Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T16:12:51.408Z", + "description": "Ensure embedded controls and network devices are protected through access management, as these devices often have insecure credentials which could be used to gain unauthorized access.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--ae10e97a-90ac-498b-8601-01081dc4af8b", @@ -46643,15 +52376,49 @@ }, { "type": "relationship", - "id": "relationship--ae4e86c6-4bbb-4aba-80fc-c20a8f3d63dc", - "created": "2023-09-28T19:50:14.201Z", + "id": "relationship--ae1e5c1a-8f2f-4a5a-a262-3d485c20e7a0", + "created": "2026-04-22T21:43:12.841Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-23T17:10:07.791Z", + "description": "Segment operational networks to isolate critical systems and devices that do not require broad network access.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--ae20022f-25b5-4eff-8775-53f1e0ad91b8", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-28T15:24:43.876Z", + "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--ae4e86c6-4bbb-4aba-80fc-c20a8f3d63dc", + "created": "2023-09-28T19:50:14.201Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:04:09.371Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -46681,7 +52448,6 @@ "id": "relationship--ae7ed6d8-65cc-45a0-82c3-c28e5630bf7c", "created": "2023-03-10T20:36:34.109Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Marshall Abrams July 2008", @@ -46706,7 +52472,6 @@ "id": "relationship--aec4cb16-bee9-410e-bb74-e3fa70cacf6a", "created": "2025-09-24T18:17:46.146Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -46723,7 +52488,6 @@ "id": "relationship--af20f409-05ed-42c3-ae3e-09b047b84875", "created": "2023-09-25T20:49:25.308Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -46738,21 +52502,54 @@ }, { "type": "relationship", - "id": "relationship--af25cacc-6b1a-47d2-8e13-cb2a7e92b379", - "created": "2023-09-28T21:17:32.313Z", + "id": "relationship--af374cf3-b440-4783-8e1b-243a8dbdeaf4", + "created": "2023-09-29T18:07:41.540Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:04:10.410Z", - "description": "", + "modified": "2025-04-16T23:01:51.006Z", "relationship_type": "targets", - "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "source_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--af453639-85a4-4dcc-8f6b-b9dbce1a45e4", + "created": "2026-04-22T22:30:43.151Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:30:43.151Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--af595409-2976-4c01-bfbe-8d9c88f2d697", + "created": "2025-09-29T19:48:07.839Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-09-29T19:48:07.839Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", @@ -46763,7 +52560,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--442e5dcf-7f41-4ba5-ba89-aefb0d1c63cf", "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", @@ -46773,15 +52569,31 @@ }, { "type": "relationship", - "id": "relationship--af802091-fee7-4d15-a845-fb4ee3c26d6d", - "created": "2023-09-29T16:44:42.393Z", + "id": "relationship--af5c41cb-063d-42a9-ad54-833bd65477d0", + "created": "2026-04-22T22:38:14.236Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-23T17:16:58.628Z", + "description": "Ensure systems and devices have an alternative method for communicating in the event that Ethernet communication channels become unavailable.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--af802091-fee7-4d15-a845-fb4ee3c26d6d", + "created": "2023-09-29T16:44:42.393Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:04:10.609Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -46789,6 +52601,31 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--af861c3e-966c-49aa-86c4-a76102977d16", + "created": "2026-04-23T00:26:01.683Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T20:11:55.425Z", + "description": "Provide the ability to verify the integrity of programs downloaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used.(Citation: IEC February 2019)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--afb0b60e-e604-4b96-abb9-57fdce4e5108", @@ -46832,46 +52669,26 @@ }, { "type": "relationship", - "id": "relationship--afe18ec4-b5b8-43f7-b9e9-64a579b4b4e1", - "created": "2023-09-29T17:37:41.336Z", + "id": "relationship--b050dc4e-4d1c-442a-9824-d7bcb37181f4", + "created": "2026-04-22T13:53:10.127Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:04:11.313Z", - "description": "", + "modified": "2026-04-22T13:53:10.127Z", "relationship_type": "targets", - "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", - "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "source_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, - { - "type": "relationship", - "id": "relationship--aff2fb40-9ef5-42c9-bc7a-4939b509fbf1", - "created": "2023-09-29T16:40:30.440Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:04:11.511Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", - "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--b05d678b-4d87-4261-9366-f8b757a77661", "created": "2024-03-28T14:27:51.356Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "FireEye TRITON Dec 2017", @@ -46896,7 +52713,6 @@ "id": "relationship--b07e6896-a840-49a1-8d58-94396a902b95", "created": "2023-03-31T17:56:07.978Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "ESET Industroyer", @@ -46921,7 +52737,6 @@ "id": "relationship--b0831dd8-64c9-42a8-bf2f-755bdffaca59", "created": "2025-09-24T18:23:39.645Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -46938,12 +52753,10 @@ "id": "relationship--b0945f9b-5608-472e-ad70-7b42c3e062a1", "created": "2023-09-28T21:21:18.081Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:12.342Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -46956,7 +52769,6 @@ "id": "relationship--b13417ea-d8da-497f-818f-d2d90562039a", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -47013,12 +52825,10 @@ "id": "relationship--b1921480-8499-46a9-8396-2a2d747c5861", "created": "2023-09-28T19:58:00.892Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:13.826Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -47026,6 +52836,23 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--b1c35486-c714-4517-9f59-742765773fa3", + "created": "2023-09-28T20:15:56.470Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:04:47.514Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b", @@ -47043,17 +52870,40 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--b217aaf1-0fe7-43cc-85ad-45b252651e2d", + "created": "2026-04-23T14:11:52.981Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T14:11:52.981Z", + "description": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 61850 payload component has the ability to discover relevant devices in the infected host's network subnet by attempting to connect on port 102.(Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--b21e0340-976d-44b2-94ae-f777199993c6", "created": "2023-09-28T19:39:00.326Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:14.229Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -47066,7 +52916,6 @@ "id": "relationship--b22637e7-f58c-4c7e-9d76-4b3ee97fa14b", "created": "2025-09-29T19:15:08.997Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -47083,7 +52932,6 @@ "id": "relationship--b22c6faf-0046-4f89-8c5a-4f5ca44b638d", "created": "2025-09-29T19:05:33.788Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -47100,7 +52948,6 @@ "id": "relationship--b252a076-6d4e-49f5-95ac-16264ef05b1d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov", @@ -47129,7 +52976,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--fb0931d5-8eb9-4db2-a2a4-447c32b29bd4", "target_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", @@ -47142,12 +52988,10 @@ "id": "relationship--b289c971-3fb7-4c3c-b3d6-cf2702b9384a", "created": "2023-09-28T21:10:50.480Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:14.850Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -47155,32 +52999,50 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--b2c3e6df-3e82-4b82-bb62-ca219dfdb934", + "created": "2026-04-22T16:37:53.016Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:37:53.016Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--bb141168-ae41-4974-8ece-dc9b63e59237", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { - "source_name": "D. Parsons and D. Wylie September 2019", - "description": "D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 ", - "url": "https://www.csiac.org/journal-article/practical-industrial-control-system-ics-cybersecurity-it-and-ot-have-converged-discover-and-defend-your-assets/" + "source_name": "Aditya K Sood July 2019", + "description": "Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25 ", + "url": "https://www.helpnetsecurity.com/2019/07/10/bacnet-devices/" }, { "source_name": "Colin Gray", "description": "Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25 ", "url": "https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6891_HowSDN_CG_20180720_Web2.pdf?v=20190312-231901" }, + { + "source_name": "D. Parsons and D. Wylie September 2019", + "description": "D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 ", + "url": "https://www.csiac.org/journal-article/practical-industrial-control-system-ics-cybersecurity-it-and-ot-have-converged-discover-and-defend-your-assets/" + }, { "source_name": "Josh Rinaldi April 2016", "description": "Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25 ", "url": "https://www.rtautomation.com/rtas-blog/still-a-thrill-opc-ua-device-discovery/" }, - { - "source_name": "Aditya K Sood July 2019", - "description": "Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25 ", - "url": "https://www.helpnetsecurity.com/2019/07/10/bacnet-devices/" - }, { "source_name": "Langner November 2018", "description": "Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25 ", @@ -47190,14 +53052,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:26:35.109Z", - "description": "ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. (Citation: D. Parsons and D. Wylie September 2019) (Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery (Citation: Josh Rinaldi April 2016), BACnet (Citation: Aditya K Sood July 2019), and Ethernet/IP. (Citation: Langner November 2018)\n", + "modified": "2026-04-23T19:40:09.561Z", + "description": "ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols.(Citation: D. Parsons and D. Wylie September 2019)(Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery(Citation: Josh Rinaldi April 2016), BACnet(Citation: Aditya K Sood July 2019), and Ethernet/IP.(Citation: Langner November 2018)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", @@ -47228,12 +53090,10 @@ "id": "relationship--b2e8914a-91bc-42df-8b64-22e5365ede6f", "created": "2023-09-29T17:42:11.005Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:15.471Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -47246,12 +53106,10 @@ "id": "relationship--b33f2abc-a218-425b-9a90-b75445b7e142", "created": "2023-09-29T18:05:51.795Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:15.729Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -47268,7 +53126,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--c7aea5e8-cd8b-4f79-be41-3a446cdde7b7", "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", @@ -47281,7 +53138,6 @@ "id": "relationship--b343e131-e448-46c6-815b-b86e4bd6d638", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos Threat Intelligence August 2019", @@ -47306,7 +53162,6 @@ "id": "relationship--b346eec8-de90-407c-b665-387086bb4553", "created": "2022-09-29T01:36:02.223Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Wylie-22", @@ -47375,24 +53230,6 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--b352884f-2a60-41c6-b348-0bbb5859802a", - "created": "2023-09-28T20:01:52.459Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:04:16.436Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", - "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60", @@ -47412,15 +53249,30 @@ }, { "type": "relationship", - "id": "relationship--b37844c1-0338-44f6-9116-48fa0f079913", - "created": "2023-09-29T17:41:11.611Z", + "id": "relationship--b36d4c7e-2d4e-40ae-ae56-55c94adaf760", + "created": "2023-09-29T17:59:11.267Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-04-16T23:04:39.381Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--b37844c1-0338-44f6-9116-48fa0f079913", + "created": "2023-09-29T17:41:11.611Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:04:16.850Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -47433,7 +53285,6 @@ "id": "relationship--b3862aa6-7bd0-46a4-83b6-bb687bb7caa6", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Chris Bing May 2018", @@ -47458,12 +53309,10 @@ "id": "relationship--b3aab26c-09c6-4264-af2a-5df260d3d8e2", "created": "2023-09-28T19:48:58.160Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:17.270Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -47488,12 +53337,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--b3b289bf-da9d-40b2-bedd-ca1b65271825", + "created": "2023-10-02T20:18:11.933Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:01:48.055Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--b3f2990b-855e-49f3-b657-6b24118b2d19", "created": "2025-09-29T19:48:23.823Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -47507,15 +53372,29 @@ }, { "type": "relationship", - "id": "relationship--b411f748-a1e9-40c6-8eb3-72f2de4dab08", - "created": "2023-09-28T20:02:20.170Z", + "id": "relationship--b3f2dffc-b79d-4de0-85eb-2d3238a4f36b", + "created": "2026-04-20T20:54:21.776Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-20T20:54:21.776Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--b411f748-a1e9-40c6-8eb3-72f2de4dab08", + "created": "2023-09-28T20:02:20.170Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:04:17.889Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -47528,7 +53407,6 @@ "id": "relationship--b452a076-6d4e-49f5-95ac-16264ef05b1d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov", @@ -47553,7 +53431,6 @@ "id": "relationship--b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -47571,7 +53448,6 @@ "id": "relationship--b48a9fea-26a5-473c-9a5d-fcc3531e1fd3", "created": "2023-03-30T18:59:30.677Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -47584,30 +53460,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--b4bb8bd7-8984-45de-888f-45c51ab157fa", - "created": "2023-09-29T17:45:55.581Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:04:19.116Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--b4efcbe0-ffe3-4d9a-8dba-570e68494af1", "created": "2023-03-10T20:10:23.377Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Marshall Abrams July 2008", @@ -47629,15 +53486,48 @@ }, { "type": "relationship", - "id": "relationship--b59a96e4-bd70-4459-9609-66563bccd9c3", - "created": "2023-09-29T16:38:21.688Z", + "id": "relationship--b58d2485-55f4-45ee-b2e1-6e067ae8d81b", + "created": "2026-04-22T22:34:12.580Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T22:34:12.580Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--b58f623d-c61f-46e8-b356-09af226ba9ad", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-28T15:25:41.115Z", + "description": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--b59a96e4-bd70-4459-9609-66563bccd9c3", + "created": "2023-09-29T16:38:21.688Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:04:19.725Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -47650,7 +53540,6 @@ "id": "relationship--b5ab26e2-eb90-4f19-b35a-b8a0a5438961", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Hydro", @@ -47697,17 +53586,18 @@ "id": "relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:26:38.550Z", - "description": "Preventing screen capture on a device may require disabling various system calls supported by the operating systems (e.g., Microsoft WindowsGraphicsCaputer APIs), however, these may be needed for other critical applications.\n", + "modified": "2026-04-22T13:20:13.471Z", + "description": "Preventing screen capture on a device may require disabling various system calls supported by the operating systems (e.g., Microsoft Windows.Graphics.Capture APIs), however, these may be needed for other critical applications.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", @@ -47731,12 +53621,10 @@ "id": "relationship--b6309476-8268-4c47-920b-8a556cd8ae4c", "created": "2023-09-29T18:47:07.359Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:20.814Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -47749,12 +53637,10 @@ "id": "relationship--b69905bd-6865-4092-9543-47bd9ae318ec", "created": "2023-09-28T19:54:22.618Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:20.999Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -47791,7 +53677,6 @@ "id": "relationship--b6a51a26-94fd-419f-b0c1-cc61e02e1475", "created": "2025-09-24T18:14:21.405Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -47808,7 +53693,6 @@ "id": "relationship--b6f48e41-f7a9-45ca-b445-9e262dd307a2", "created": "2025-09-29T19:54:47.976Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -47829,7 +53713,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--194cb4dd-81ca-4e64-94e2-911fab1219f9", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", @@ -47842,12 +53725,10 @@ "id": "relationship--b7284360-0d80-45bb-8486-263ae8f8fa63", "created": "2023-09-28T21:26:01.106Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:21.421Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -47877,12 +53758,10 @@ "id": "relationship--b7344dfb-621b-4558-ab22-6c1f256ee746", "created": "2023-09-29T16:46:27.408Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:21.886Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -47895,12 +53774,10 @@ "id": "relationship--b774fcb4-43bf-4ff1-98c6-0a94838eacc2", "created": "2023-09-29T18:57:10.064Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:22.081Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", @@ -47913,7 +53790,6 @@ "id": "relationship--b7943cdb-1a6b-46cf-aebe-8282fd86c357", "created": "2025-09-24T18:04:00.774Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -47927,15 +53803,30 @@ }, { "type": "relationship", - "id": "relationship--b7a9bff5-2e15-4d3d-ac88-84af1239a586", - "created": "2023-09-28T19:51:42.728Z", + "id": "relationship--b7a32080-49ce-432f-8b75-abd944be4e82", + "created": "2023-09-28T20:11:52.625Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-04-16T23:03:49.669Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--b7a9bff5-2e15-4d3d-ac88-84af1239a586", + "created": "2023-09-28T19:51:42.728Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:04:22.505Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -47965,12 +53856,10 @@ "id": "relationship--b84e1473-f370-42ad-ac3b-7caf3c8cd00e", "created": "2023-09-29T18:42:53.573Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:22.938Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -47980,10 +53869,79 @@ }, { "type": "relationship", - "id": "relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58", + "id": "relationship--b8c33196-8fc2-4855-b764-cd49554f0223", + "created": "2026-04-22T20:28:21.888Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Aditya K Sood July 2019", + "description": "Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25 ", + "url": "https://www.helpnetsecurity.com/2019/07/10/bacnet-devices/" + }, + { + "source_name": "Colin Gray", + "description": "Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25 ", + "url": "https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6891_HowSDN_CG_20180720_Web2.pdf?v=20190312-231901" + }, + { + "source_name": "D. Parsons and D. Wylie September 2019", + "description": "D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 ", + "url": "https://www.csiac.org/journal-article/practical-industrial-control-system-ics-cybersecurity-it-and-ot-have-converged-discover-and-defend-your-assets/" + }, + { + "source_name": "Josh Rinaldi April 2016", + "description": "Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25 ", + "url": "https://www.rtautomation.com/rtas-blog/still-a-thrill-opc-ua-device-discovery/" + }, + { + "source_name": "Langner November 2018", + "description": "Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25 ", + "url": "https://www.langner.com/2018/11/why-ethernet-ip-changes-the-ot-asset-discovery-game/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:44:25.851Z", + "description": "ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols.(Citation: D. Parsons and D. Wylie September 2019)(Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery(Citation: Josh Rinaldi April 2016), BACnet(Citation: Aditya K Sood July 2019), and Ethernet/IP.(Citation: Langner November 2018)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--b8ce3f0c-7c11-4846-b567-a5d4233b0e6e", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:13:00.762Z", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.(Citation: Department of Homeland Security September 2016)\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "Department of Homeland Security October 2009", @@ -48003,6 +53961,31 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--b8e71df0-20c4-42b0-8d80-68e93fc084c2", + "created": "2026-04-22T20:13:51.408Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:20:39.685Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used default credentials to access Hitatchi RTUs, Mikronika RTUs, Hitachi Relion Protection and Control Relays, Mikronika HMI Computers, and Moxa NPort Serial Device Servers.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd", @@ -48039,27 +54022,20 @@ }, { "type": "relationship", - "id": "relationship--b960c5ed-1ea8-4dde-9203-c02d291d3bc6", - "created": "2020-09-21T17:59:24.739Z", + "id": "relationship--b9608e90-25f7-4a0a-b621-5512827ac169", + "created": "2023-09-29T17:38:59.611Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:26:41.201Z", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "modified": "2025-04-16T23:05:16.312Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", @@ -48083,7 +54059,6 @@ "id": "relationship--b9a1e946-4ece-48f3-949c-e1c2d39136fe", "created": "2025-09-29T19:14:59.837Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -48095,6 +54070,31 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--b9b45f7a-742f-4b72-bdee-577ceb539499", + "created": "2026-04-23T14:16:22.262Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", + "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T18:46:02.040Z", + "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102.(Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", + "relationship_type": "uses", + "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", + "target_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--b9e82422-b072-494f-99c1-fcab07b90133", @@ -48141,7 +54141,6 @@ "id": "relationship--ba24af7b-dd2f-4c21-9ec5-27758b88da9b", "created": "2025-09-29T19:57:16.248Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -48155,15 +54154,30 @@ }, { "type": "relationship", - "id": "relationship--ba496af3-2d99-4c2b-8ce0-20388f5d632c", - "created": "2023-09-28T21:28:36.325Z", + "id": "relationship--ba394cbc-461d-44cc-8fa5-92f11a5c8e6b", + "created": "2026-04-22T18:53:03.069Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T18:53:03.069Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--6bdde391-76eb-4bd7-9e19-e805ab98b7ac", + "target_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--ba496af3-2d99-4c2b-8ce0-20388f5d632c", + "created": "2023-09-28T21:28:36.325Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:04:25.010Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -48173,15 +54187,30 @@ }, { "type": "relationship", - "id": "relationship--ba943eeb-5673-44b5-acbf-1cddc2fefb1a", - "created": "2023-09-28T20:03:54.209Z", + "id": "relationship--ba49c0ad-293e-46c3-a0f9-30a25dba415a", + "created": "2023-09-28T19:51:27.775Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-04-16T23:01:03.908Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--ba943eeb-5673-44b5-acbf-1cddc2fefb1a", + "created": "2023-09-28T20:03:54.209Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:04:25.206Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -48189,17 +54218,40 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--ba9ebebf-d5dd-4a5c-b44f-a07cc3ccac8b", + "created": "2023-09-27T14:48:05.715Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:02:30.269Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked command messages by using malicious firmware to render serial-to-ethernet converters inoperable. (Citation: Ukraine15 - EISAC - 201603)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--bac1f95c-87bf-4939-bc1a-7727aad738f7", "created": "2023-09-29T18:49:34.208Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:25.429Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -48212,12 +54264,10 @@ "id": "relationship--bad056aa-b8a6-4c4c-9bfa-bcc518872341", "created": "2024-03-25T20:17:36.433Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:25.662Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -48225,6 +54275,22 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--badf753a-349e-4a3c-a425-b12efd65d856", + "created": "2026-04-20T20:58:44.598Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:58:44.598Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--baf4bd30-4213-43c3-b70c-54418e734caf", @@ -48264,12 +54330,10 @@ "id": "relationship--bb3938a6-85ec-4f34-8bcd-6051de7e9259", "created": "2023-09-29T16:45:08.209Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:26.310Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -48279,15 +54343,30 @@ }, { "type": "relationship", - "id": "relationship--bbeb2eae-7da2-4477-ad8e-8c67b00c53bc", - "created": "2023-09-28T19:53:44.848Z", + "id": "relationship--bbbbad6d-fc22-4f87-92e6-445f05e08e39", + "created": "2026-04-22T21:40:21.108Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T21:40:21.108Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--bbeb2eae-7da2-4477-ad8e-8c67b00c53bc", + "created": "2023-09-28T19:53:44.848Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:04:26.525Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -48297,34 +54376,25 @@ }, { "type": "relationship", - "id": "relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba", + "id": "relationship--bc0e4ff7-ed61-41c0-84ca-66210241c9ce", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-28T15:26:43.150Z", - "description": "Devices should authenticate all messages between master and outstation assets.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, - { - "type": "relationship", - "id": "relationship--bc1e1980-8acf-4505-8142-d382d83421d4", - "created": "2025-09-29T19:47:36.964Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-09-29T19:47:36.964Z", - "relationship_type": "targets", - "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "modified": "2026-04-23T19:00:06.758Z", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.(Citation: Department of Homeland Security September 2016)\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" @@ -48363,7 +54433,6 @@ "id": "relationship--bc383819-2e40-49b4-bea9-95eb5d418877", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", @@ -48388,12 +54457,10 @@ "id": "relationship--bc3a0b1f-f0ec-466f-8cad-8f47b07764c9", "created": "2023-09-28T21:22:21.776Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:27.370Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -48401,6 +54468,48 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--bc51e6c7-6211-4124-874d-4a5aea2efce0", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:03:53.161Z", + "description": "Using its protocol payloads, [Industroyer](https://attack.mitre.org/software/S0604) sends unauthorized commands to RTUs to change the state of equipment. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--bc6f2a51-9307-4268-a6d6-51c02ae893fd", + "created": "2023-09-29T17:58:04.082Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:05:21.474Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3", @@ -48418,30 +54527,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:04:27.786Z", - "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--bcece7ce-91b5-40b3-b87a-25cab3600e5c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", @@ -48466,7 +54556,6 @@ "id": "relationship--bd16f422-4869-49f8-9b86-16220e857c9b", "created": "2025-09-29T22:07:11.671Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -48478,12 +54567,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--bd2ee84f-349c-4a89-b224-d48269bd9b0a", + "created": "2026-04-22T22:47:25.522Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:47:25.522Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--bd639f3c-0887-49a6-9274-37e1e2d24808", "created": "2025-09-24T18:21:25.236Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -48500,12 +54605,10 @@ "id": "relationship--bd7509cc-a7e5-4e29-b615-225dfbdd3c4a", "created": "2023-09-28T21:16:24.310Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:28.188Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -48515,15 +54618,30 @@ }, { "type": "relationship", - "id": "relationship--bd869385-5778-4303-8993-cc6412d12303", - "created": "2023-09-29T18:45:59.108Z", + "id": "relationship--bd7bd67c-f636-481f-a301-7e8da69b5aef", + "created": "2026-04-22T18:58:48.061Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T18:58:48.061Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--bd869385-5778-4303-8993-cc6412d12303", + "created": "2023-09-29T18:45:59.108Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:04:28.405Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -48550,17 +54668,25 @@ }, { "type": "relationship", - "id": "relationship--bdcec963-7b0d-4c42-89e8-7b1dd9ba72c9", - "created": "2025-10-21T15:10:28.402Z", + "id": "relationship--bdae915d-64f8-4944-949c-59a4d35b70c5", + "created": "2026-04-22T20:26:28.411Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T15:10:28.402Z", - "description": "", - "relationship_type": "detects", - "source_ref": "x-mitre-detection-strategy--b04e83cc-8ace-4880-8953-7ce55eb8c427", - "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "modified": "2026-04-22T20:26:28.411Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries damaged the Mikronika RTUs, Hitachi Relion Protection and Control Relays (IEDs), and HMI workstations resulting in a loss of communications and control between the facility and the distribution system operators (DSO).(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" @@ -48587,12 +54713,10 @@ "id": "relationship--be0f7d83-2441-4259-b411-46e0d10566b1", "created": "2023-10-02T20:23:24.179Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:29.045Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", @@ -48605,7 +54729,6 @@ "id": "relationship--be532c78-daf5-431b-adae-ab11af395513", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", @@ -48644,28 +54767,44 @@ }, { "type": "relationship", - "id": "relationship--beafc44c-228f-4a7e-9d92-ac1b16d730e2", - "created": "2023-09-28T20:31:17.116Z", + "id": "relationship--beb0c5be-2b81-4d8d-9d9f-35e496be4e0f", + "created": "2026-04-23T00:26:38.917Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:04:29.670Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "modified": "2026-04-23T17:32:24.809Z", + "description": "Utilize code signatures to verify the integrity and authenticity of programs downloaded to the device.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--bf08412c-f1ab-4b48-956b-177ce2474a2e", + "created": "2026-04-22T22:35:15.009Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:35:15.009Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--bf0e7347-1636-4b5e-9e2a-8b93177e5f85", "created": "2024-03-28T14:27:09.365Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "FireEye TRITON 2018", @@ -48685,53 +54824,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--bf5356b1-d00e-43c3-ba92-ae504a737d76", - "created": "2023-09-29T16:46:12.472Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:04:30.059Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", - "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, - { - "type": "relationship", - "id": "relationship--bf8e68fe-1969-48d1-be0e-ec742378748d", - "created": "2023-09-29T18:56:34.302Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:04:30.459Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", - "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--bf8f90a2-4d3a-436d-87d0-eff060fb2302", "created": "2023-09-29T18:06:02.077Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:30.650Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -48744,12 +54845,10 @@ "id": "relationship--bf9f227c-e306-4257-add1-39c7c2e42040", "created": "2023-09-29T18:47:28.758Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:30.863Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -48762,7 +54861,6 @@ "id": "relationship--bfe38597-c92b-4989-9687-3dd20a21f82d", "created": "2025-09-29T19:05:45.030Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -48803,30 +54901,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--bffad8de-a807-4216-9753-008a87d9d77f", - "created": "2023-09-28T19:56:40.730Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:04:31.162Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--c004d8e5-8079-4f6f-90ed-93cff4f69940", "created": "2025-09-24T18:14:07.949Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -48843,12 +54922,10 @@ "id": "relationship--c047df7c-3ed7-455f-8b13-14ced8e93fef", "created": "2023-09-28T21:17:47.080Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:31.380Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -48856,12 +54933,53 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--c09375e4-1c59-48f2-9151-f42151263bce", + "created": "2026-04-22T19:59:54.754Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:21:22.484Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used a graphical user interface (GUI) via the Remote Desktop Protocol (RDP) to access the Mikronika HMI and to execute commands.(Citation: CERT Polska)\n\nDuring the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used a graphical user interface (GUI) to connect to the domain controller via the Remote Desktop Protocol (RDP) to collect and exfiltrate data and attempt to destroy data on the system.(Citation: CERT Polska)\n", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--c09623fc-ee06-4d8e-828f-23d2bc895aaf", + "created": "2026-04-22T21:39:27.046Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:39:27.046Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--c0c5f223-8546-47f9-acd0-ea47da6f768d", "created": "2025-09-24T17:56:19.121Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -48902,7 +55020,6 @@ "id": "relationship--c0fb868d-9b36-492d-9577-626ecf9d50c0", "created": "2025-09-29T22:02:30.857Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -48919,7 +55036,6 @@ "id": "relationship--c1154a56-6f5f-4760-8b34-79b0e8a79c1f", "created": "2023-03-10T20:34:55.362Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Marshall Abrams July 2008", @@ -48944,7 +55060,6 @@ "id": "relationship--c137fcd2-ce51-4e17-9c2f-f1aaf9b64ce7", "created": "2024-03-28T14:28:47.109Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "FireEye TEMP.Veles 2018", @@ -48973,7 +55088,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--06443942-ba28-4d13-b4b4-93317d6eafa5", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", @@ -49007,7 +55121,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--c7737640-99e8-4efb-90ee-39332b623b33", "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", @@ -49020,12 +55133,10 @@ "id": "relationship--c1d77f83-23ec-4128-afd1-ed8ea12281a2", "created": "2023-09-29T18:09:02.311Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:32.619Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -49038,12 +55149,10 @@ "id": "relationship--c1e051ab-0a11-4d29-b98f-aa442ab69553", "created": "2023-09-29T17:09:48.178Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:32.817Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", @@ -49053,33 +55162,30 @@ }, { "type": "relationship", - "id": "relationship--c2168fe8-be19-4df5-808e-ed87c9c0e1c5", - "created": "2023-09-29T16:28:39.397Z", + "id": "relationship--c1fc8829-4a5e-4633-8785-b5601f5067a9", + "created": "2025-09-29T19:02:37.703Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:04:33.039Z", - "description": "", + "modified": "2025-09-29T19:02:37.703Z", "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", - "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "source_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--c233df49-e450-4151-8a0f-1765faf3d75a", "created": "2023-09-29T17:08:08.883Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:33.275Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", @@ -49089,40 +55195,30 @@ }, { "type": "relationship", - "id": "relationship--c2484b15-7dd0-4280-8898-a6a7da6f0ca2", - "created": "2023-03-10T20:09:49.009Z", + "id": "relationship--c247e63d-f1f8-4b69-b72f-866bfd14d4bb", + "created": "2026-04-22T16:10:21.873Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, - "external_references": [ - { - "source_name": "Marshall Abrams July 2008", - "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", - "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:04:33.468Z", - "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.(Citation: Marshall Abrams July 2008)", - "relationship_type": "uses", - "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "modified": "2026-04-22T16:10:21.873Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--c27e676e-1ac0-4ec8-bf9d-f540969c6b6f", "created": "2023-09-29T17:59:54.204Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:33.667Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -49139,7 +55235,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--5ba60cf7-738d-4ed4-827c-8c763ad9f0f0", "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", @@ -49147,12 +55242,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--c2a6b6b8-d9ef-45e1-9b7f-5fdc039e190f", + "created": "2023-09-29T16:39:01.824Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:02:29.175Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--c2fe42b4-6750-4b51-86b7-6c37fbfdef2d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Department of Homeland Security October 2009", @@ -49177,7 +55288,6 @@ "id": "relationship--c347b69c-e3f6-4eca-ba57-0781c7dc8eac", "created": "2021-04-13T12:28:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos Threat Intelligence February 2020", @@ -49202,12 +55312,10 @@ "id": "relationship--c37f097a-9698-412f-9e96-4d350bcd2790", "created": "2023-09-29T16:44:26.728Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:34.277Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -49220,12 +55328,10 @@ "id": "relationship--c39be68a-e208-47ac-a7be-6eb6e84d6608", "created": "2023-09-29T18:49:14.639Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:34.465Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -49233,12 +55339,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--c3c23e7f-f778-4cd6-b2ac-69c1a5615d66", + "created": "2026-04-22T22:32:35.367Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:32:35.367Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--c4122b58-f1b2-4656-a715-55016700bf75", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", @@ -49263,12 +55385,10 @@ "id": "relationship--c41d20c8-b99e-4de8-a0e5-3e0ef3b4275b", "created": "2023-10-02T20:21:06.420Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:34.889Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", @@ -49281,7 +55401,6 @@ "id": "relationship--c44ad0d0-0d7e-4a31-877b-ac69b679cf8d", "created": "2025-09-24T18:04:13.732Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -49293,35 +55412,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, - { - "type": "relationship", - "id": "relationship--c4718fa2-2592-44b0-87d0-f866c118a779", - "created": "2023-09-29T18:07:09.213Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:04:35.331Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--c4a50132-a210-4093-878d-3d6df23ed26e", "created": "2023-09-29T17:10:09.146Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:35.724Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", @@ -49334,12 +55433,10 @@ "id": "relationship--c4b036ee-be86-48cb-9f01-ab8f78e5bb37", "created": "2023-09-28T20:15:05.405Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:35.927Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -49352,12 +55449,10 @@ "id": "relationship--c4dd7251-ed87-4629-86b5-090e52a82df2", "created": "2024-04-09T21:00:32.387Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:36.124Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -49370,7 +55465,6 @@ "id": "relationship--c4e8dd42-9855-4a36-b915-dc7e1a91e235", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Robert Falcone, Bryan Lee May 2016", @@ -49399,7 +55493,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--c0abb110-c80e-4d6a-9f27-f2783f8bbfec", "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", @@ -49412,7 +55505,6 @@ "id": "relationship--c4fa7c43-1b74-4d65-ade9-72b679f4bb49", "created": "2025-09-29T19:56:59.071Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -49429,7 +55521,6 @@ "id": "relationship--c52501e6-6c33-4c10-9c20-b868f71f8035", "created": "2025-09-24T18:24:47.882Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -49446,7 +55537,6 @@ "id": "relationship--c53a4f46-f8db-4d89-b21b-9f249c8297a1", "created": "2025-09-29T19:59:07.775Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -49467,7 +55557,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--62587e44-0623-4b14-bd45-126430eaed4a", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", @@ -49477,15 +55566,30 @@ }, { "type": "relationship", - "id": "relationship--c58563a8-d757-4476-8ae2-beb2acce38b3", - "created": "2023-10-02T20:20:55.473Z", + "id": "relationship--c56f7ce6-a077-41d3-94d7-440f85e61786", + "created": "2026-04-22T13:55:20.869Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T13:55:20.869Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--c58563a8-d757-4476-8ae2-beb2acce38b3", + "created": "2023-10-02T20:20:55.473Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:04:36.530Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", @@ -49498,12 +55602,10 @@ "id": "relationship--c596f45a-ad65-4673-b316-05378175f35e", "created": "2024-04-09T20:54:19.196Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:36.745Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -49516,7 +55618,6 @@ "id": "relationship--c59a3d89-c8fa-4c5d-813e-f4495d892d1a", "created": "2019-03-25T19:13:54.947Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Joe Slowik April 2019", @@ -49541,12 +55642,10 @@ "id": "relationship--c5a69738-3e80-421d-aba2-bdab8a4029fd", "created": "2023-09-29T18:43:49.839Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:37.152Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -49559,7 +55658,6 @@ "id": "relationship--c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16", "created": "2020-06-10T18:36:54.638Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Trend Micro Cyclops Blink March 2022", @@ -49633,7 +55731,6 @@ "id": "relationship--c613899c-1550-4a90-8ae9-7a964147093f", "created": "2025-09-29T19:14:51.386Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -49654,7 +55751,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--e6bc5359-4bd4-4688-9136-ac7a6b561f56", "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", @@ -49662,12 +55758,46 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--c61fb9cc-8a3c-46e6-8ae6-856aa7f16723", + "created": "2026-04-22T21:41:52.241Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:41:52.241Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--c6258ef7-95dc-43ef-b0c2-a20011a48699", + "created": "2026-04-22T22:37:37.395Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:18:08.551Z", + "description": "Implement network allowlists to minimize network access to only authorized hosts.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Department of Homeland Security October 2009", @@ -49692,7 +55822,6 @@ "id": "relationship--c6520346-fe47-44ce-af75-d99004ac2977", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", @@ -49712,34 +55841,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-28T15:26:50.282Z", - "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--c65e39eb-f6d1-4e3a-9070-b2fa7ea35b36", "created": "2023-09-28T21:27:50.246Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:38.535Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -49797,52 +55907,27 @@ }, { "type": "relationship", - "id": "relationship--c6a05c20-02d4-42ce-ad5c-280c604e13d8", - "created": "2023-09-29T17:59:11.267Z", + "id": "relationship--c71fafe8-ed54-44d1-be6e-9a018eb9a90f", + "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:04:39.381Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", - "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "modified": "2025-10-21T15:10:28.402Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--d8cb1dd3-8bf2-48e7-99db-473481b823a8", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, - { - "type": "relationship", - "id": "relationship--c785c026-4139-4c56-a6dd-cdd3ba75bab1", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:04:39.776Z", - "description": "In [Industroyer](https://attack.mitre.org/software/S0604) the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "National Institute of Standards and Technology April 2013", @@ -49853,14 +55938,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:26:51.473Z", - "description": "When at rest, project files should be encrypted to prevent unauthorized changes. (Citation: National Institute of Standards and Technology April 2013)\n", + "modified": "2026-04-23T19:36:36.508Z", + "description": "When at rest, project files should be encrypted to prevent unauthorized changes.(Citation: National Institute of Standards and Technology April 2013)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", @@ -49901,6 +55986,47 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--c7ae1f86-2029-4354-896b-baace526bf3c", + "created": "2026-04-22T13:56:41.640Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T18:56:07.376Z", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.(Citation: Department of Homeland Security September 2016)\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--c7c75b98-3fb2-46fd-93de-4e59f3181dae", + "created": "2026-04-20T20:58:49.920Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:58:49.920Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "target_ref": "attack-pattern--6b335943-c3af-430e-a135-ab09623bdc20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--c80a479e-5e7b-449b-ace0-b5ced0d2d442", @@ -49910,7 +56036,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--60a55b7b-29a5-437e-83a7-edbe6f3c4415", "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", @@ -49923,12 +56048,10 @@ "id": "relationship--c8222300-6c5e-42d6-ae67-3595407b89fd", "created": "2024-04-09T20:54:39.801Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:40.569Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -49941,7 +56064,6 @@ "id": "relationship--c84e39ab-30c1-40e3-95a8-fcbb271e913c", "created": "2022-05-06T17:47:21.168Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Carl Hurd March 2019", @@ -49966,6 +56088,22 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--c892fb0a-4c9f-4332-a0d3-974a8fcab565", + "created": "2026-04-20T20:54:22.907Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:22.907Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--c8a40335-90d6-496a-b4f9-1cc93d3fffc6", @@ -49990,12 +56128,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--c8c5e01d-cf78-402c-9f52-6f5c306fd300", + "created": "2026-04-22T18:58:29.496Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T18:58:29.496Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--c8dd2735-bd04-4413-847d-316b77c6de19", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -50013,7 +56167,6 @@ "id": "relationship--c8e78d6f-ac9d-4ad3-ae13-238f1eb4423a", "created": "2023-09-27T13:22:13.265Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", @@ -50055,7 +56208,6 @@ "id": "relationship--c90cfddb-253b-41c8-9057-2abde6f8aa6d", "created": "2021-04-12T18:49:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "SecureWorks September 2019", @@ -50080,6 +56232,24 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--c91514db-4e02-459e-9ff4-5092fdffb049", + "created": "2026-04-23T00:39:44.358Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:34:27.166Z", + "description": "Filter for protocols and payloads associated with program download activity to prevent unauthorized device configurations.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c", @@ -50102,12 +56272,10 @@ "id": "relationship--c95850f4-4616-435c-b237-f1985833d40e", "created": "2023-09-29T16:29:39.918Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:42.076Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -50124,7 +56292,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--97914ffd-b189-415e-9309-e63e3be01b1e", "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", @@ -50134,15 +56301,30 @@ }, { "type": "relationship", - "id": "relationship--c9fb4adb-8064-426a-838d-c93674fb380b", - "created": "2023-09-29T18:44:38.035Z", + "id": "relationship--c9efe378-d028-4c09-83c7-491fadc3a1f9", + "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-10-21T15:10:28.402Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--09f46edf-33f9-4c23-af2f-74864c27f616", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--c9fb4adb-8064-426a-838d-c93674fb380b", + "created": "2023-09-29T18:44:38.035Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:04:42.312Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -50155,12 +56337,10 @@ "id": "relationship--ca13a117-aae0-4802-878b-c09f4a04dd31", "created": "2023-09-28T20:06:50.018Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:42.722Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -50173,12 +56353,10 @@ "id": "relationship--ca225ea0-e813-4205-98db-707b474ae24f", "created": "2024-04-09T20:49:44.575Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:42.923Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -50191,7 +56369,6 @@ "id": "relationship--ca3c4d4b-cf53-4489-904f-8a220e421aeb", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", @@ -50262,12 +56439,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--ca77cbbf-8938-4dd0-b454-df5703bc1718", + "created": "2026-04-22T17:55:35.905Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T17:55:35.905Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--31773402-e407-4ed3-b86c-7a8587dc5ec9", + "target_ref": "attack-pattern--354ca909-b54d-4c41-b597-9c296b344a43", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--cad91f87-7cc7-4771-8c7b-1599793ed3c1", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Carl Hurd March 2019", @@ -50292,6 +56485,31 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--cae90fbb-ba0d-4a9a-9da3-b9f32ab1cd07", + "created": "2026-04-23T00:38:14.226Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T20:09:25.837Z", + "description": "Provide the ability to verify the integrity of programs downloaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used.(Citation: IEC February 2019)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b", @@ -50321,7 +56539,6 @@ "id": "relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -50339,7 +56556,6 @@ "id": "relationship--cb38425c-646d-4bc8-bdea-e6cc630c3034", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", @@ -50364,12 +56580,10 @@ "id": "relationship--cb47a3bb-daec-4aa1-9a92-af2a61bb65cd", "created": "2023-09-28T21:14:29.099Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:44.717Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -50399,7 +56613,6 @@ "id": "relationship--cb6d67c0-33ba-4c49-ae70-d0e4f0f68794", "created": "2023-03-30T14:08:42.386Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "M. Rentschler and H. Heine", @@ -50419,12 +56632,97 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--cb6e6679-42b7-48ce-b546-7c45cdefb4c5", + "created": "2023-09-28T20:01:52.459Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:04:16.436Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--cb7fc6bb-f62d-4316-91d3-ecab283e2976", + "created": "2023-09-29T18:56:34.302Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:04:30.459Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--cb84ce4c-4fb7-4e16-b10c-c932d34f0699", + "created": "2026-04-22T21:36:37.108Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:36:37.108Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--cb993689-bb59-4c96-b9fd-42cfcb92d76f", + "created": "2026-04-22T16:03:21.013Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ESET Research Whitepapers September 2018", + "description": "ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" + }, + { + "source_name": "Intel", + "description": "Intel ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 Intel Hardware-based Security Technologies for Intelligent Retail Devices Retrieved. 2020/09/25 ", + "url": "https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf" + }, + { + "source_name": "N/A", + "description": "N/A Trusted Platform Module (TPM) Summary Retrieved. 2020/09/25 ", + "url": "https://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:07:32.354Z", + "description": "Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology.(Citation: N/A) Move system's root of trust to hardware to prevent tampering with the SPI flash memory.(Citation: ESET Research Whitepapers September 2018) Technologies such as Intel Boot Guard can assist with this.(Citation: Intel)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--cba8313b-c338-45f7-88ef-a514094882ac", "created": "2022-09-28T20:28:39.348Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Wylie-22", @@ -50449,7 +56747,6 @@ "id": "relationship--cbc62104-d3df-499c-9630-b510e99f3acd", "created": "2025-09-29T19:07:05.860Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -50466,12 +56763,10 @@ "id": "relationship--cbc65a60-3b40-4ecf-a10d-8ef1be72568d", "created": "2024-04-09T20:54:26.301Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:45.573Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -50484,12 +56779,10 @@ "id": "relationship--cbee31a0-716c-4b10-83f0-aa889bfb4749", "created": "2023-10-20T17:05:25.595Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:45.801Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -50499,15 +56792,30 @@ }, { "type": "relationship", - "id": "relationship--cc5c77ce-c5a3-4791-b80e-09d35282443a", - "created": "2023-09-29T16:30:08.166Z", + "id": "relationship--cc1f9236-42f2-463f-9894-44197fbe2867", + "created": "2023-09-29T16:39:09.447Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-04-16T23:05:24.415Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--cc5c77ce-c5a3-4791-b80e-09d35282443a", + "created": "2023-09-29T16:30:08.166Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:04:46.007Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -50537,7 +56845,6 @@ "id": "relationship--ccae6e5d-8a9e-4bab-ae77-26a2bd722f67", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", @@ -50562,12 +56869,10 @@ "id": "relationship--ccbb44ad-2220-4260-99ce-9142c44fc797", "created": "2023-09-28T21:10:03.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:46.864Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -50575,12 +56880,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--ccc5523f-b7a7-4bd1-a9a2-eb00f44cc778", + "created": "2026-04-22T22:46:35.212Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:46:35.212Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--ccc67bb3-acc3-4294-81b3-4a0d972f2dd7", "created": "2021-04-13T12:08:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Jos Wetzels January 2018", @@ -50609,7 +56930,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--9f3df5ac-caa0-4189-9b9b-dcf2f6bbdc54", "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", @@ -50619,45 +56939,77 @@ }, { "type": "relationship", - "id": "relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-28T15:26:56.507Z", - "description": "Implement network allowlists to minimize serial comm port access to only authorized hosts, such as comm servers and RTUs.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, - { - "type": "relationship", - "id": "relationship--cd54b7ba-c96c-49c8-90d2-15677efb8fe2", - "created": "2023-09-28T20:15:56.470Z", + "id": "relationship--cd0ba68b-398b-4df1-b9bd-c1ea3ba0791f", + "created": "2026-04-22T18:56:41.507Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:04:47.514Z", - "description": "", + "modified": "2026-04-22T18:56:41.507Z", "relationship_type": "targets", - "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--bb141168-ae41-4974-8ece-dc9b63e59237", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--cd18f19c-71dc-4b7b-929c-647804d4c614", + "created": "2026-04-22T21:38:36.440Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:38:36.440Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--cd1be463-233c-43c8-b03d-fa0d6bdd8427", + "created": "2026-04-20T20:54:19.034Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:19.034Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "target_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--cd645dbe-000a-43f9-86e6-622bb1ab1053", + "created": "2026-04-23T00:41:02.190Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:38:51.867Z", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--cd6f1ca4-aaec-451d-b855-55cdb0c3dde8", "created": "2024-03-28T14:27:34.578Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Triton-EENews-2017", @@ -50682,17 +57034,40 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--cdc5aea4-1aac-4e6b-86cd-39617629d96b", + "created": "2023-09-27T14:53:03.323Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:04:07.778Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) issued unauthorized commands to substation breaks after gaining control of operator workstations and accessing a distribution management system (DMS) application. (Citation: Ukraine15 - EISAC - 201603)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--ce3aad7e-1e15-40c7-916b-e25a647e9986", "created": "2023-09-29T16:31:36.462Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:48.157Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -50705,7 +57080,6 @@ "id": "relationship--ce5833db-4cd2-4034-ac97-8a02b14e0095", "created": "2025-09-29T19:03:17.501Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -50748,39 +57122,72 @@ }, { "type": "relationship", - "id": "relationship--ce7c17b7-b60d-4ebd-9014-2c421a64d70a", - "created": "2020-09-21T17:59:24.739Z", + "id": "relationship--cea316fe-8a9d-4e7c-ab2e-6134585bb69f", + "created": "2023-09-28T19:49:56.464Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:05:29.445Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--cf3d020e-5ca7-4867-a502-654e445cc45c", + "created": "2024-03-27T19:55:40.243Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + "source_name": "Mandiant-Sandworm-Ukraine-2022", + "description": "Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.", + "url": "https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:26:57.325Z", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "modified": "2025-04-16T23:03:18.083Z", + "description": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) used the MicroSCADA SCIL-API to specify a set of SCADA instructions, including the sending of unauthorized commands to substation devices.(Citation: Mandiant-Sandworm-Ukraine-2022)", + "relationship_type": "uses", + "source_ref": "campaign--df8eb785-70f8-4300-b444-277ba849083d", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--cf528b10-a4e6-49ed-8bc8-4629115d7752", + "created": "2023-09-29T17:57:44.978Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:03:57.777Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--cf53ff89-3c31-4f8d-83a1-b74dce4c558d", "created": "2023-09-29T16:29:16.222Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:49.067Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -50790,35 +57197,33 @@ }, { "type": "relationship", - "id": "relationship--cf8a816c-30ee-4147-a48f-d797fb145a04", - "created": "2023-09-29T17:43:10.828Z", + "id": "relationship--cf568097-5db4-4518-a786-87870dec04e0", + "created": "2026-04-22T20:27:00.492Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:04:49.460Z", - "description": "", + "modified": "2026-04-22T20:27:00.492Z", "relationship_type": "targets", - "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", - "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", - "id": "relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b", - "created": "2020-09-21T17:59:24.739Z", + "id": "relationship--cf8a816c-30ee-4147-a48f-d797fb145a04", + "created": "2023-09-29T17:43:10.828Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:26:58.081Z", - "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "modified": "2025-04-16T23:04:49.460Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" @@ -50832,7 +57237,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--8ae936b6-b635-4104-bd11-81c18d90cf97", "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", @@ -50845,12 +57249,10 @@ "id": "relationship--cfaead3c-3db5-400f-bd15-dfbc57cf0185", "created": "2023-09-28T21:15:44.547Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:49.882Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -50858,12 +57260,61 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--cfb7dbe9-53ac-4b51-b031-3ae26ad1e1a5", + "created": "2026-04-22T20:25:44.025Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:25:44.025Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--cfc97955-3fda-4152-94c6-106f58a5579b", + "created": "2026-04-20T20:54:16.106Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:16.106Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", + "target_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--cfea8d23-2078-4741-bc12-7afa7a2dffa0", + "created": "2023-09-28T21:09:41.659Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:03:29.875Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--d015831c-a253-491d-9106-4ad0ccb43c3b", "created": "2025-09-24T18:23:51.180Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -50880,12 +57331,10 @@ "id": "relationship--d02812b2-23c3-4dce-bf94-c6e464e86fab", "created": "2023-10-02T20:22:25.770Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:50.270Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", @@ -50895,35 +57344,58 @@ }, { "type": "relationship", - "id": "relationship--d03de729-9235-4ceb-a1c0-935e2088020b", - "created": "2023-09-28T21:29:12.533Z", + "id": "relationship--d035ee22-59f0-4d4e-9420-d26f43533b06", + "created": "2026-04-23T00:44:17.657Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:04:50.495Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "modified": "2026-04-23T00:44:17.657Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--c1645705-a26f-45b2-aa68-ff5c93dfc0f4", + "target_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", - "id": "relationship--d08fdedd-12f6-4681-9167-70d070432dee", - "created": "2020-09-21T17:59:24.739Z", + "id": "relationship--d03785b3-9b51-45f2-aff5-029555c53826", + "created": "2026-04-23T00:28:16.750Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T20:13:01.636Z", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems.(Citation: Department of Homeland Security September 2016)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--d03de729-9235-4ceb-a1c0-935e2088020b", + "created": "2023-09-28T21:29:12.533Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:26:58.701Z", - "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "modified": "2025-04-16T23:04:50.495Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" @@ -50937,7 +57409,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--fe11c904-752f-40e2-b269-c53bbb29541a", "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", @@ -50950,7 +57421,6 @@ "id": "relationship--d1388bba-9869-4e3e-a6c9-430784ad924d", "created": "2023-09-27T14:59:13.988Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Ukraine15 - EISAC - 201603", @@ -50972,10 +57442,44 @@ }, { "type": "relationship", - "id": "relationship--d16e8909-d055-4174-aeb1-22c0613b2f73", + "id": "relationship--d1445579-245b-4698-a7df-365379e0d36d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, + "external_references": [ + { + "source_name": "ESET Research Whitepapers September 2018", + "description": "ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" + }, + { + "source_name": "Intel", + "description": "Intel ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 Intel Hardware-based Security Technologies for Intelligent Retail Devices Retrieved. 2020/09/25 ", + "url": "https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf" + }, + { + "source_name": "N/A", + "description": "N/A Trusted Platform Module (TPM) Summary Retrieved. 2020/09/25 ", + "url": "https://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:12:02.052Z", + "description": "Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology.(Citation: N/A) Move system's root of trust to hardware to prevent tampering with the SPI flash memory.(Citation: ESET Research Whitepapers September 2018) Technologies such as Intel Boot Guard can assist with this.(Citation: Intel)\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--d16e8909-d055-4174-aeb1-22c0613b2f73", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -50988,34 +57492,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--d1971b32-3a15-4544-9f36-80c05121deb6", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-28T15:26:59.142Z", - "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--d1a97502-b41d-40a8-aff5-13367fefc642", "created": "2023-09-28T21:21:45.003Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:51.534Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -51028,12 +57513,10 @@ "id": "relationship--d1bd77d4-9f1a-41ee-bf64-0aa7438e6896", "created": "2023-09-29T16:28:52.111Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:51.758Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -51063,12 +57546,10 @@ "id": "relationship--d23fd724-563d-4f49-8bcd-09c653728cd3", "created": "2023-09-28T21:28:00.462Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:52.170Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -51081,12 +57562,10 @@ "id": "relationship--d2985b8a-7a29-4b57-b2f1-cddd79fe4242", "created": "2023-09-28T19:53:20.304Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:52.379Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -51099,7 +57578,6 @@ "id": "relationship--d2a434c7-4428-435e-ae6b-e54012f29606", "created": "2023-09-25T20:43:52.987Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -51117,7 +57595,6 @@ "id": "relationship--d2dc57eb-5be2-4f9c-a4f7-18d2085ff412", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Robert Falcone, Bryan Lee May 2016", @@ -51142,12 +57619,10 @@ "id": "relationship--d3266f04-3453-492d-b9ea-6fb9d0ce3999", "created": "2023-09-29T18:49:54.378Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:53.274Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -51160,12 +57635,10 @@ "id": "relationship--d3564f1f-8637-4878-a66a-3e8ea46f7a72", "created": "2023-09-28T19:38:27.199Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:53.470Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -51178,7 +57651,6 @@ "id": "relationship--d3717846-eaab-4fde-99f6-a972dec9323b", "created": "2024-03-27T19:43:45.213Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos-Sandworm-Ukraine-2022", @@ -51203,6 +57675,24 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--d3a24d5e-ae6e-4427-a1db-ae87b7a2b6e4", + "created": "2026-04-22T13:31:34.115Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:21:19.990Z", + "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104", @@ -51225,12 +57715,10 @@ "id": "relationship--d3d4f469-9847-41ef-a478-5eaf6003d483", "created": "2023-10-02T20:23:00.405Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:53.992Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", @@ -51243,7 +57731,6 @@ "id": "relationship--d3ec223b-9dca-4e5e-8d09-b69a04110eec", "created": "2025-09-29T19:07:38.953Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -51255,12 +57742,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--d40fab57-a843-45b9-a70d-6c795e1cc476", + "created": "2026-04-22T21:41:08.012Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:41:08.012Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--d45464ea-98b2-4f57-8f42-1cccc49e075f", "created": "2025-09-24T18:14:34.036Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -51277,12 +57780,10 @@ "id": "relationship--d455330d-f190-4854-8087-4c2c37003b45", "created": "2023-09-29T17:39:29.897Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:54.422Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -51292,15 +57793,31 @@ }, { "type": "relationship", - "id": "relationship--d48894cb-457e-4a81-82b4-2d735aea5128", - "created": "2023-09-28T19:50:56.496Z", + "id": "relationship--d462143c-69d1-44c9-b657-b64deb12eab8", + "created": "2026-04-22T16:05:26.631Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-23T15:56:04.175Z", + "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--d48894cb-457e-4a81-82b4-2d735aea5128", + "created": "2023-09-28T19:50:56.496Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:04:54.613Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -51342,7 +57859,6 @@ "id": "relationship--d4a6d928-ac0c-4b27-a3bc-e42703b5859c", "created": "2025-09-29T19:02:23.617Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -51359,7 +57875,6 @@ "id": "relationship--d4da5e90-7986-4c8a-bfb6-df4c0586ce87", "created": "2024-03-27T20:48:27.536Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Mandiant-Sandworm-Ukraine-2022", @@ -51379,12 +57894,29 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--d4f64f95-42cd-46e6-8fcf-25ef0d868f5b", + "created": "2026-04-23T00:25:42.814Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:29:40.909Z", + "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--d50a3d89-c8fa-4c5d-813e-f4495d892d1a", "created": "2019-03-25T19:13:54.947Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Joe Slowik April 2019", @@ -51409,7 +57941,6 @@ "id": "relationship--d5289c2e-e5c4-443d-94ec-ce9a44992065", "created": "2025-09-24T17:56:06.321Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -51423,15 +57954,30 @@ }, { "type": "relationship", - "id": "relationship--d58d8b19-90bc-4a7f-840d-076be296ff20", - "created": "2023-09-29T17:09:01.803Z", + "id": "relationship--d55057c5-988d-4f66-bfba-650c49259d01", + "created": "2023-09-29T17:37:50.048Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-04-16T23:04:06.042Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--d58d8b19-90bc-4a7f-840d-076be296ff20", + "created": "2023-09-29T17:09:01.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:04:55.324Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", @@ -51444,12 +57990,10 @@ "id": "relationship--d5b532fe-3df9-4f92-a0f0-9c92823cdb6a", "created": "2023-09-28T19:43:49.584Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:55.515Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -51462,12 +58006,10 @@ "id": "relationship--d5e908f9-eea1-4e55-a406-f24c5dc74b2d", "created": "2023-09-29T17:38:17.313Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:55.721Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -51480,12 +58022,10 @@ "id": "relationship--d611b750-95e5-4f73-8f16-38db0a34a2e0", "created": "2023-09-29T17:08:23.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:55.928Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", @@ -51495,28 +58035,26 @@ }, { "type": "relationship", - "id": "relationship--d648b3c7-77d2-42f3-a367-620621b714ab", - "created": "2023-09-28T21:11:29.314Z", + "id": "relationship--d65646f0-f90c-4415-bbde-cce61f13898f", + "created": "2026-04-22T22:46:53.310Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:04:56.117Z", - "description": "", + "modified": "2026-04-22T22:46:53.310Z", "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--d67ae959-9014-4501-b963-42bee03a5e3b", "created": "2024-03-25T20:09:34.908Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Jamie Tarabay and Katrina Manson December 2023", @@ -51536,6 +58074,31 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--d67feaac-73ac-47b1-91ec-f537105afc58", + "created": "2026-04-22T17:51:33.089Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:38:07.805Z", + "description": "When at rest, project files should be encrypted to prevent unauthorized changes.(Citation: National Institute of Standards and Technology April 2013)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "target_ref": "attack-pattern--354ca909-b54d-4c41-b597-9c296b344a43", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a", @@ -51558,7 +58121,6 @@ "id": "relationship--d717cc26-2fab-42cd-a67f-7079b1ce8f15", "created": "2025-09-24T18:18:58.353Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -51570,12 +58132,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--d72458b4-b72b-4f0b-96da-eb3d9c6ef9a2", + "created": "2026-04-22T20:39:30.233Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:39:30.233Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--d72e7d01-56be-4fbd-8957-3384533ba83b", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Jos Wetzels January 2018", @@ -51600,12 +58178,10 @@ "id": "relationship--d775a6ed-4a60-41f4-ac06-da86c27cd1de", "created": "2023-09-29T18:48:41.176Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:57.155Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -51615,15 +58191,30 @@ }, { "type": "relationship", - "id": "relationship--d7b07d40-fbdb-41e9-b610-57de10fa41e5", - "created": "2023-09-28T20:29:50.745Z", + "id": "relationship--d7ab9f93-163e-4000-9573-674a7e4de44c", + "created": "2026-04-22T20:26:01.557Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T20:26:01.557Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--d7b07d40-fbdb-41e9-b610-57de10fa41e5", + "created": "2023-09-28T20:29:50.745Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:04:57.388Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -51636,7 +58227,6 @@ "id": "relationship--d7ea83fa-87c7-4d36-96d5-aee554504040", "created": "2017-05-31T21:33:27.074Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "ESET Bad Rabbit", @@ -51665,7 +58255,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--6d2ba563-0aa9-4f64-a14d-da62b694b495", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", @@ -51678,12 +58267,10 @@ "id": "relationship--d80f9deb-ba2a-4a07-aa23-81c423cf4a18", "created": "2023-09-29T16:46:01.992Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:57.843Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -51696,7 +58283,6 @@ "id": "relationship--d8354850-bd4c-4bd9-a585-b107f5f1398f", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017", @@ -51716,29 +58302,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--d84d4745-77d0-46e4-a876-82a15c745a88", - "created": "2025-09-29T19:47:53.277Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-09-29T19:47:53.277Z", - "relationship_type": "targets", - "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", - "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.3.0" - }, { "type": "relationship", "id": "relationship--d854cc38-adf7-485d-96b5-70606f6cb87e", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -51756,7 +58324,6 @@ "id": "relationship--d8911566-f622-4a01-b765-514dbbfd8201", "created": "2022-09-28T20:27:01.345Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Wylie-22", @@ -51781,12 +58348,10 @@ "id": "relationship--d89d9778-4695-4c97-bf6d-1d0fbabb41fa", "created": "2023-09-28T21:14:51.778Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:58.678Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -51816,12 +58381,10 @@ "id": "relationship--d8f95008-33c9-4572-9916-023d8de449b1", "created": "2023-09-29T18:04:16.785Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:59.116Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -51834,7 +58397,6 @@ "id": "relationship--d90aeeb6-3686-483a-8403-6514ecfe1a50", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "ICS-CERT August 2018", @@ -51859,7 +58421,6 @@ "id": "relationship--d9165ecb-bc10-4189-a7e4-057bdf05bf3f", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", @@ -51884,12 +58445,10 @@ "id": "relationship--d96788b4-55dd-48df-bb9b-83b33ca24813", "created": "2023-09-28T19:55:22.376Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:59.970Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -51906,7 +58465,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--1bae319f-03d8-49c9-8bb8-e4f27bb69a11", "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", @@ -51916,15 +58474,47 @@ }, { "type": "relationship", - "id": "relationship--d9de58a6-58fd-499c-ba7d-588239297179", - "created": "2023-09-29T16:42:31.464Z", + "id": "relationship--d99fecbc-a7ea-4430-b933-afd239c4555b", + "created": "2023-09-29T18:43:23.321Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-04-16T23:03:47.537Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--d9a351b5-1d77-4f16-a191-1a8992c5bb5b", + "created": "2025-09-24T17:57:31.366Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-09-24T17:57:31.366Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "target_ref": "x-mitre-asset--bb553fda-8355-40bc-87c6-5ae25124fa95", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--d9de58a6-58fd-499c-ba7d-588239297179", + "created": "2023-09-29T16:42:31.464Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:05:00.181Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -51937,12 +58527,10 @@ "id": "relationship--d9fa7d68-a07c-4cf0-bb01-14e2c70c21d5", "created": "2023-09-28T19:51:11.687Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:00.416Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -51955,12 +58543,10 @@ "id": "relationship--da144dd2-c949-4a7f-8c8d-0cb27c52196a", "created": "2023-09-29T16:42:53.226Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:00.613Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -51973,7 +58559,6 @@ "id": "relationship--da246386-12c6-4d7e-adc2-f3148686d6c1", "created": "2025-09-29T22:06:02.769Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -51987,15 +58572,55 @@ }, { "type": "relationship", - "id": "relationship--da771d72-c778-4c9a-acb4-01b5fc3d36c0", - "created": "2023-09-29T18:06:57.332Z", + "id": "relationship--da38a045-d29a-4c08-9951-c8e520229584", + "created": "2023-09-27T14:48:40.533Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:03:53.416Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked reporting messages by using malicious firmware to render serial-to-ethernet converters inoperable. (Citation: Ukraine15 - EISAC - 201603)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--da6aa4ab-039e-40fc-8188-8006ccd2ea8c", + "created": "2026-04-22T13:27:55.225Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T13:27:55.225Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--da771d72-c778-4c9a-acb4-01b5fc3d36c0", + "created": "2023-09-29T18:06:57.332Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:05:00.816Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -52008,12 +58633,10 @@ "id": "relationship--da987131-bf37-4730-9914-323879d2b5c3", "created": "2023-09-28T20:34:11.025Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:01.013Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -52026,12 +58649,10 @@ "id": "relationship--dac96d76-b9b8-4278-9f5b-62f4992e2ac8", "created": "2023-09-28T19:44:22.801Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:01.207Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -52048,7 +58669,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--e8b537e6-04eb-4168-a206-88cc041edf50", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", @@ -52061,12 +58681,10 @@ "id": "relationship--db46e84f-435e-4022-b484-e6d2e253660c", "created": "2023-09-29T18:06:13.468Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:01.600Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -52076,15 +58694,30 @@ }, { "type": "relationship", - "id": "relationship--dbcc492c-782e-4418-8373-dbc7a76498b0", - "created": "2023-09-29T17:45:35.293Z", + "id": "relationship--db5e5a2a-dc41-4f04-910e-ab4dfccd1e0d", + "created": "2026-04-22T18:59:44.658Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T18:59:44.658Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--dbcc492c-782e-4418-8373-dbc7a76498b0", + "created": "2023-09-29T17:45:35.293Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:05:02.024Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -52114,7 +58747,6 @@ "id": "relationship--dc35c44a-a90c-48a1-8811-af2618216e42", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -52127,29 +58759,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-28T15:27:06.208Z", - "description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--dc5736b5-b906-41e9-b772-53d92b1aa48c", "created": "2025-09-24T18:04:59.096Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -52161,6 +58775,22 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--dd164aa3-1bec-4d3b-afb4-25f0e3a29f9f", + "created": "2026-04-20T20:58:41.108Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:58:41.108Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--dd350208-e49c-412f-b249-f09d8203f1eb", @@ -52170,7 +58800,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--3a772c6d-fda2-404a-86aa-85a0bdbb43e9", "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", @@ -52178,30 +58807,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, - { - "type": "relationship", - "id": "relationship--dd9abe36-1cee-4100-a94f-105d9678fd1f", - "created": "2023-09-29T18:06:35.470Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:05:02.821Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", - "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--dda89758-9d0b-446d-b594-85acc7f9cb90", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Department of Homeland Security October 2009", @@ -52240,17 +58850,61 @@ }, { "type": "relationship", - "id": "relationship--de981644-10f5-40bf-9ced-5c35ed8f9793", - "created": "2025-09-24T18:12:25.320Z", + "id": "relationship--de370506-01db-412f-a6fb-57c4014de788", + "created": "2026-04-23T00:38:54.094Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-09-24T18:12:25.320Z", - "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", - "target_ref": "x-mitre-asset--bb553fda-8355-40bc-87c6-5ae25124fa95", + "modified": "2026-04-23T17:32:39.523Z", + "description": "Utilize code signatures to verify the integrity and authenticity of programs downloaded to the device.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--de6a1c7c-8d90-4f5c-8618-7c7ea9a2da89", + "created": "2026-04-22T16:02:26.676Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:49:23.881Z", + "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--de973619-e66f-4cb8-92fc-0d5fe85214fa", + "created": "2026-04-23T01:11:19.464Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T01:11:19.464Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used `arp` to conduct remote system discovery activities.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" @@ -52260,12 +58914,10 @@ "id": "relationship--dead5325-7efe-4dcc-bf78-42b9190f74da", "created": "2023-09-29T16:46:40.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:03.868Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -52278,12 +58930,10 @@ "id": "relationship--deb83319-bc5a-4b9b-a44a-bd369b899601", "created": "2024-03-25T20:18:12.056Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:04.076Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -52291,34 +58941,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--dede1ad8-7375-4d53-8a18-ac88008c78e1", - "created": "2025-09-29T22:06:41.935Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-09-29T22:06:41.935Z", - "relationship_type": "targets", - "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.3.0" - }, { "type": "relationship", "id": "relationship--def57041-6bb4-453a-bf04-188b9e97a35d", "created": "2023-09-28T21:26:34.603Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:04.312Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -52331,12 +58962,10 @@ "id": "relationship--df321d74-25d6-42da-80e8-3c9a291cb471", "created": "2023-09-28T19:57:41.602Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:04.505Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -52344,12 +58973,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--df67d728-289e-4d04-9635-d018c0764ce9", + "created": "2026-04-22T21:36:02.911Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:36:02.911Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -52367,12 +59012,10 @@ "id": "relationship--df7b521e-4496-432f-a61d-3094d0c7bc23", "created": "2023-09-29T17:58:26.994Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:04.930Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -52385,12 +59028,10 @@ "id": "relationship--df80e2b6-5672-4f26-a19c-a394f3731f24", "created": "2023-09-28T19:48:48.649Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:05.126Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -52403,7 +59044,6 @@ "id": "relationship--df88d021-cb8e-482d-9260-445d0a0244ac", "created": "2024-03-27T19:51:10.097Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Mandiant-Sandworm-Ukraine-2022", @@ -52428,12 +59068,10 @@ "id": "relationship--df9f5a5b-0662-4904-8e57-bc25c244a6da", "created": "2023-09-28T20:11:11.658Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:05.761Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -52446,12 +59084,10 @@ "id": "relationship--dfb20521-91c2-4f55-b92a-dab959759b78", "created": "2023-09-29T18:03:38.874Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:05.955Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -52468,7 +59104,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--105c127f-2777-452e-bf61-b0786ee13861", "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", @@ -52481,7 +59116,6 @@ "id": "relationship--dfc6fb8e-87f4-4a50-a21e-1df2ad35d3c6", "created": "2025-09-29T19:03:53.406Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -52495,15 +59129,30 @@ }, { "type": "relationship", - "id": "relationship--dfd0dc6c-33ad-44a4-9def-1d8e23e278fb", - "created": "2022-04-15T22:05:32.209Z", + "id": "relationship--dfcfa2cf-6873-46a7-a924-68783378c15d", + "created": "2026-04-22T13:54:19.768Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T13:54:19.768Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--dfd0dc6c-33ad-44a4-9def-1d8e23e278fb", + "created": "2022-04-15T22:05:32.209Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T22:52:24.900Z", - "description": "", "relationship_type": "revoked-by", "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", "target_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", @@ -52513,28 +59162,37 @@ }, { "type": "relationship", - "id": "relationship--dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb", - "created": "2017-12-14T16:46:06.044Z", + "id": "relationship--e00efbb9-4663-4a0a-8fbe-d7dcc4395fc9", + "created": "2023-10-02T20:18:01.546Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.", - "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:05:06.275Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", + "modified": "2025-04-16T23:01:17.536Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--e0613dac-bb51-482a-b005-f58cf7a69e7b", + "created": "2026-04-22T22:47:42.854Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:47:42.854Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", @@ -52558,7 +59216,6 @@ "id": "relationship--e0aee02c-b424-4781-be10-793d71594c31", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", @@ -52600,7 +59257,6 @@ "id": "relationship--e0da1f92-82b1-4096-86c4-1aef58ca89fb", "created": "2023-03-10T20:08:40.601Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Marshall Abrams July 2008", @@ -52622,15 +59278,30 @@ }, { "type": "relationship", - "id": "relationship--e1269074-37f4-460b-8a2a-cd26892d4f8e", - "created": "2023-09-28T19:42:54.009Z", + "id": "relationship--e100841e-fe9f-452f-8396-9aa635255efb", + "created": "2026-04-22T21:37:58.480Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T21:37:58.480Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--bb141168-ae41-4974-8ece-dc9b63e59237", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--e1269074-37f4-460b-8a2a-cd26892d4f8e", + "created": "2023-09-28T19:42:54.009Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:05:07.806Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -52638,29 +59309,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--e13f8de3-3ea1-4987-9355-aad8d967a207", - "created": "2025-09-29T19:05:22.195Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-09-29T19:05:22.195Z", - "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", - "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.3.0" - }, { "type": "relationship", "id": "relationship--e156609f-c30b-4bf5-8a1b-9689ba778a14", "created": "2023-03-31T17:44:45.164Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos Crashoverride 2018", @@ -52680,17 +59333,40 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--e1653814-74cd-4885-906f-b3af88452917", + "created": "2026-04-23T00:06:22.758Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T20:06:59.502Z", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.(Citation: Department of Homeland Security September 2016)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--e17c3b74-69d8-47b2-88d4-adcaf418ab74", "created": "2023-09-29T17:08:48.251Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:08.436Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", @@ -52703,12 +59379,10 @@ "id": "relationship--e1f28ed0-ec35-4792-ae02-a2d003bd3df4", "created": "2023-09-28T20:09:07.381Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:08.845Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -52721,7 +59395,6 @@ "id": "relationship--e257913e-40ba-4a05-ba97-0c3175c966b5", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", @@ -52751,7 +59424,6 @@ "id": "relationship--e323dee4-a896-4a82-85f5-d51d311b0437", "created": "2021-04-12T18:49:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Max Heinemeyer February 2020", @@ -52771,12 +59443,44 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--e347c1e5-0c5b-42bb-b8d4-fafba4bcd319", + "created": "2026-04-22T16:35:10.762Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:35:10.762Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--e36e7e4d-fb9f-4396-bbc2-260dfc53cf8b", + "created": "2026-04-20T20:54:18.551Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:18.551Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--e3923fcf-5580-4c1e-bc55-33f67792cc00", "created": "2022-09-28T20:25:51.024Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos-Pipedream", @@ -52811,12 +59515,10 @@ "id": "relationship--e3b04152-0c90-41ff-a333-c5163fa9714f", "created": "2023-09-29T17:41:22.619Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:09.685Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -52829,12 +59531,10 @@ "id": "relationship--e41a04fe-a142-4294-a9f2-576214e1f985", "created": "2024-04-09T20:48:04.616Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:09.881Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -52847,12 +59547,10 @@ "id": "relationship--e434db5d-f201-4411-825f-4a50e1e78c75", "created": "2023-09-29T17:06:20.834Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:10.093Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", @@ -52862,15 +59560,55 @@ }, { "type": "relationship", - "id": "relationship--e49e0138-4247-4f3e-a42c-f0dab2f6ffbc", - "created": "2023-09-29T18:49:44.351Z", + "id": "relationship--e4850ba4-7933-4518-a9af-667cb99ff7f6", + "created": "2026-04-22T20:27:19.955Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:27:19.955Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries stole sensitive operational information that was used to plan the attack on the operational technology systems.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--e4897cee-6e09-440d-89fe-a299c696bb92", + "created": "2026-04-22T16:37:32.002Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T16:37:32.002Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--e49e0138-4247-4f3e-a42c-f0dab2f6ffbc", + "created": "2023-09-29T18:49:44.351Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:05:10.309Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -52878,17 +59616,40 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--e49fb083-b1aa-4ac9-a99e-7e9ea1542e32", + "created": "2026-04-22T20:11:05.522Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:02:35.035Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used `nslookup` and `ping` to conduct remote system discovery activities.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--e4bc29f2-87c8-491d-b51b-d6cede7c1972", "created": "2023-09-29T16:45:33.777Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:10.725Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -52901,12 +59662,10 @@ "id": "relationship--e4c62e59-d14e-4cbc-a4a9-4f64bd523d5a", "created": "2024-04-09T21:00:11.159Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:10.930Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", @@ -52914,12 +59673,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--e4c87389-950e-45ab-b53a-3cafb21c08a3", + "created": "2026-04-22T20:15:55.649Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:15:55.649Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--e4e37e2e-c6fc-4a67-a1c5-b349b1cd5a79", "created": "2025-09-29T19:09:16.239Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -52931,6 +59706,23 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--e56064d9-388d-45b3-99a9-4eeec2e681da", + "created": "2026-04-22T22:42:50.619Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:42:50.619Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--feb80c7a-96cd-4300-b344-4d75b176c9cb", + "target_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--e5afc447-a241-4773-9a8a-3d6fd205d926", @@ -52953,12 +59745,10 @@ "id": "relationship--e5c9aacb-51e3-41d3-995d-9e6ed04a2454", "created": "2023-10-02T20:17:51.320Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:11.594Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", @@ -52992,28 +59782,67 @@ }, { "type": "relationship", - "id": "relationship--e6af4cbd-1b2e-4733-be57-43a845f465eb", - "created": "2023-09-28T20:30:32.778Z", + "id": "relationship--e62235fe-0546-4755-ad01-fedce306ef89", + "created": "2026-04-22T13:57:10.500Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + }, + { + "source_name": "Dwight Anderson 2014", + "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" + }, + { + "source_name": "Karen Scarfone; Paul Hoffman September 2009", + "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", + "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" + }, + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T18:56:47.911Z", + "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment.(Citation: Karen Scarfone; Paul Hoffman September 2009)(Citation: Keith Stouffer May 2015)(Citation: Department of Homeland Security September 2016)(Citation: Dwight Anderson 2014) ", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--e627461f-f2cc-427b-8896-72db160bca24", + "created": "2026-04-22T21:42:46.708Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:05:12.007Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", - "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "modified": "2026-04-23T17:00:44.990Z", + "description": "Implement network allowlists to minimize network access to only authorized hosts.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -53052,15 +59881,49 @@ }, { "type": "relationship", - "id": "relationship--e75f88e6-1ffb-467b-b488-46e91cb3e1e9", - "created": "2023-09-28T19:42:16.270Z", + "id": "relationship--e70d04d1-51e3-4d43-b3dd-111daeea14f9", + "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-04-28T15:24:35.809Z", + "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--e7564f70-9f10-4135-9803-842cd3d2a02f", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-28T15:26:25.760Z", + "description": "Patch the BIOS and EFI as necessary.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--e75f88e6-1ffb-467b-b488-46e91cb3e1e9", + "created": "2023-09-28T19:42:16.270Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:05:12.625Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -53090,12 +59953,10 @@ "id": "relationship--e79825fb-3bd0-41e7-9bdd-257cd3ab44a2", "created": "2023-09-29T16:45:20.769Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:13.276Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -53103,12 +59964,27 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--e7b44697-7269-427c-a825-3c41ec6dc385", + "created": "2026-04-20T20:58:43.015Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:58:43.015Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "target_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--e7c3b02a-a932-4561-b812-5cfadd7f9b2f", "created": "2024-11-20T23:25:47.710Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos FROSTYGOOP 2024", @@ -53133,7 +60009,6 @@ "id": "relationship--e7eca1f8-1c88-4d99-996c-b93e0c66f063", "created": "2025-09-29T19:57:33.616Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -53147,15 +60022,30 @@ }, { "type": "relationship", - "id": "relationship--e83a79df-2555-4b2f-9ade-b9ed2689ae42", - "created": "2023-09-29T16:39:41.736Z", + "id": "relationship--e8076aaa-25e1-48cf-afcd-2365a67a8029", + "created": "2026-04-22T22:51:11.523Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T22:51:11.523Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--e83a79df-2555-4b2f-9ade-b9ed2689ae42", + "created": "2023-09-29T16:39:41.736Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:05:13.666Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -53187,6 +60077,31 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--e8a72417-2ff1-4bb7-93c2-17fa0c274d3d", + "created": "2026-04-22T19:50:26.088Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T19:50:26.088Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries gained initial access by compromising Fortinet edge devices. (Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15", @@ -53233,12 +60148,10 @@ "id": "relationship--e8ef9bb9-1335-4418-b788-f8220dbbe4c8", "created": "2023-09-28T19:50:30.312Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:14.760Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -53251,12 +60164,10 @@ "id": "relationship--e915e12c-3d0c-4f60-b119-9414940abb0b", "created": "2023-09-28T20:08:27.145Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:14.982Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -53269,12 +60180,10 @@ "id": "relationship--e95fe824-4df1-49a2-abf7-5d76fb47ef42", "created": "2023-09-28T19:45:18.672Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:15.180Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -53287,12 +60196,10 @@ "id": "relationship--e98892d6-e036-4140-adbb-2932dba51a19", "created": "2023-09-28T20:08:09.519Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:15.413Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -53324,12 +60231,29 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--ea1ba63b-d0e1-4d1b-a098-72ce2c44a44a", + "created": "2026-04-22T13:50:28.914Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:38:37.483Z", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--ea211d90-b379-446f-bc5e-ae7befe5a6ff", "created": "2025-09-29T22:04:53.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -53341,12 +60265,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--ea38b054-5552-4287-b3da-c4ad7ff61e55", + "created": "2023-09-28T20:04:32.626Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:03:47.761Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--ea50253a-3220-458b-b810-ad032f2b182f", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "DHS CISA February 2019", @@ -53407,21 +60347,21 @@ }, { "type": "relationship", - "id": "relationship--eac205a6-271b-4a86-acf3-6f4ddefb82c4", - "created": "2023-09-29T17:38:59.611Z", + "id": "relationship--eaa0b30e-1dea-4dad-9a1e-33da933a8158", + "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:05:16.312Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", - "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "modified": "2025-04-28T15:25:11.687Z", + "description": "Devices should verify that firmware has been properly signed by the vendor before allowing installation.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", @@ -53452,12 +60392,10 @@ "id": "relationship--eadb4ca5-ee99-4169-a926-95b1ff82e960", "created": "2023-09-28T20:28:52.768Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:16.718Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -53470,12 +60408,10 @@ "id": "relationship--eae674f9-10a2-41e6-9cd3-205af8e69d53", "created": "2023-09-28T20:05:15.314Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:17.058Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -53488,7 +60424,6 @@ "id": "relationship--eaeb3c8d-9d91-4eb0-8049-5cb99e141026", "created": "2021-10-08T15:25:32.143Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", @@ -53513,12 +60448,10 @@ "id": "relationship--eb171086-88e1-4f24-bd7e-c3f8b3c3283b", "created": "2023-09-28T19:44:09.311Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:17.683Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -53531,7 +60464,6 @@ "id": "relationship--eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f", "created": "2021-10-08T15:42:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos Inc. June 2017", @@ -53556,12 +60488,10 @@ "id": "relationship--eb5310c6-7500-4b16-8ca7-6678c6232001", "created": "2023-09-29T19:36:38.824Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:18.076Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", @@ -53571,17 +60501,52 @@ }, { "type": "relationship", - "id": "relationship--ebb27a0d-c1cc-403f-aea0-6bc90aa52cfe", - "created": "2025-10-21T15:10:28.402Z", + "id": "relationship--eb54882a-57a0-477f-8a2c-4a18c8d463c7", + "created": "2025-09-29T22:05:16.999Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T15:10:28.402Z", - "description": "", - "relationship_type": "detects", - "source_ref": "x-mitre-detection-strategy--e69d1e15-76e1-434c-bd45-0354a10dde8a", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "modified": "2025-09-29T22:05:16.999Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--eb65b30e-53b1-4c27-8841-ee7daec9c33b", + "created": "2026-04-22T16:36:35.229Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:36:35.229Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--eba478bb-7b76-4889-b82c-eda10826ffcb", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-28T15:27:26.405Z", + "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" @@ -53608,12 +60573,10 @@ "id": "relationship--ebc9f35c-6f95-4bc0-b8b3-f9b515690fa0", "created": "2023-09-29T17:09:37.977Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:18.505Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", @@ -53640,15 +60603,47 @@ }, { "type": "relationship", - "id": "relationship--ecaf20c0-d881-45b4-98f2-a456e07d3643", - "created": "2023-09-28T21:25:48.379Z", + "id": "relationship--ec16db2c-3265-4e0a-88d3-947e198c0a64", + "created": "2026-04-22T20:27:21.792Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T20:27:21.792Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--ec468947-8385-443e-8a1e-fbdebc46df8d", + "created": "2026-04-22T18:55:48.001Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T18:55:48.001Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--ecaf20c0-d881-45b4-98f2-a456e07d3643", + "created": "2023-09-28T21:25:48.379Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:05:18.922Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -53656,6 +60651,24 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--eccbcd3d-ea6e-4e9d-aa15-7b6e0909b6e0", + "created": "2026-04-22T13:56:15.092Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:39:04.566Z", + "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--ecf39e19-439f-4e9a-97c2-673ce4eb0a1a", @@ -53685,12 +60698,10 @@ "id": "relationship--ed095993-bc85-431e-9621-437143f16d44", "created": "2023-09-29T17:44:09.285Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:19.379Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -53703,12 +60714,10 @@ "id": "relationship--ed3ce006-cf41-46f6-bd86-054314c130dc", "created": "2023-09-28T21:15:57.120Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:19.565Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -53721,12 +60730,10 @@ "id": "relationship--ed3ef546-566a-46c7-918e-7bfa10d05991", "created": "2023-09-29T17:06:47.370Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:19.779Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", @@ -53739,12 +60746,10 @@ "id": "relationship--ed66e087-8877-4146-a16a-44cfd144a3d8", "created": "2023-09-29T17:07:00.450Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:19.992Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", @@ -53752,35 +60757,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--ed8b97e2-5966-4844-a636-524541a46e43", - "created": "2023-09-29T16:39:18.448Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:05:20.202Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--edaa6f5c-1b59-4ecb-a20f-716a61cdaccb", "created": "2023-09-29T16:39:29.206Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:20.412Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -53790,15 +60775,30 @@ }, { "type": "relationship", - "id": "relationship--edccbe1f-a07a-405e-9b9a-b247ce3dcc9b", - "created": "2023-09-29T17:58:54.996Z", + "id": "relationship--edb0495d-5faf-40be-92e2-fcf0c0b25157", + "created": "2026-04-22T21:37:30.373Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T21:37:30.373Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--edccbe1f-a07a-405e-9b9a-b247ce3dcc9b", + "created": "2023-09-29T17:58:54.996Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:05:20.853Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -53811,12 +60811,10 @@ "id": "relationship--ede2b798-2f39-419e-a7d3-8f0c733af4c1", "created": "2023-09-28T21:12:00.004Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:21.055Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -53829,7 +60827,6 @@ "id": "relationship--ede5f716-52cd-4833-b092-5938262cd20b", "created": "2025-09-29T19:08:08.900Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -53846,7 +60843,6 @@ "id": "relationship--edf73653-b2d7-422f-b433-b6a428ff12d4", "created": "2017-05-31T21:33:27.074Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017", @@ -53868,28 +60864,34 @@ }, { "type": "relationship", - "id": "relationship--edfa4bcb-6304-42df-b7c6-8caf480c66f2", - "created": "2023-09-29T17:58:04.082Z", + "id": "relationship--ee09658b-e384-4693-9318-b1e5d4a2e78a", + "created": "2026-04-22T19:55:57.376Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:05:21.474Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "modified": "2026-04-22T20:21:52.926Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries gained initial access to the operational technology via the compromised Fortinet edge devices, and used used SSH, RDP, and SMB/Windows Admin Shares to connect to remote systems and execute commands.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--ee1bf429-2c7c-4eb6-acca-e758522baf2e", "created": "2021-04-12T18:49:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Tom Fakterman August 2019", @@ -53914,7 +60916,6 @@ "id": "relationship--ee2fdebd-1587-4e53-a7d7-c15fcc88879d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", @@ -53939,7 +60940,6 @@ "id": "relationship--ee538956-6abf-4884-bbfa-16839f6c7d63", "created": "2025-09-29T19:03:09.092Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -53956,12 +60956,10 @@ "id": "relationship--ee72cc27-2e78-47c4-8786-1351f9bcee97", "created": "2023-09-28T20:05:33.450Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:22.308Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -53991,12 +60989,10 @@ "id": "relationship--eebae2f3-aaa1-4410-8b75-db5bdac1d4d6", "created": "2023-09-28T20:04:07.868Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:22.759Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -54009,7 +61005,6 @@ "id": "relationship--eecca3e7-4db5-40d4-b04c-13f84701acb3", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Department of Homeland Security October 2009", @@ -54029,6 +61024,24 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--eed98f8e-3eb9-4238-9acf-c2a0be136e87", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:03:19.600Z", + "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4", @@ -54063,12 +61076,10 @@ "id": "relationship--eeeb83cb-0a8a-412b-aae2-aede7c43d8e8", "created": "2023-09-28T21:11:45.241Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:23.369Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -54081,7 +61092,6 @@ "id": "relationship--eeed6b2a-093b-478d-8d20-4ecf0b458bee", "created": "2025-09-24T17:57:18.102Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -54115,12 +61125,10 @@ "id": "relationship--ef60735b-c64b-465c-9e5f-46a4d3a49fb3", "created": "2023-09-28T19:54:48.577Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:23.790Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -54133,7 +61141,6 @@ "id": "relationship--ef615d62-fe85-4740-9c5d-5dddff9b5693", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Symantec Security Response July 2014", @@ -54179,28 +61186,60 @@ }, { "type": "relationship", - "id": "relationship--eff19f74-4940-4c8e-a3b3-b3c16fe3f5e0", - "created": "2023-09-29T16:39:09.447Z", + "id": "relationship--efc4eb1c-f254-41a5-976c-31a39f3b35f6", + "created": "2026-04-22T22:48:50.957Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:05:24.415Z", - "description": "", + "modified": "2026-04-22T22:48:50.957Z", "relationship_type": "targets", - "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", - "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--efece3a8-02ba-45da-828e-383d31631c62", + "created": "2026-04-23T00:02:13.794Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:02:13.794Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--eff95bb0-9681-47a6-a83d-efeb39328217", + "created": "2026-04-22T18:59:27.057Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T18:59:27.057Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--bb553fda-8355-40bc-87c6-5ae25124fa95", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--efface85-ce65-400f-8632-cb188cc08bcf", "created": "2025-09-29T19:11:45.227Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -54214,15 +61253,30 @@ }, { "type": "relationship", - "id": "relationship--f05a2592-00f9-4f1f-ba55-395af5444b96", - "created": "2023-09-29T17:42:29.179Z", + "id": "relationship--f043ed4b-f304-44c4-8bf5-5a96ffeb97cd", + "created": "2026-04-22T20:40:50.871Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T20:40:50.871Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--f05a2592-00f9-4f1f-ba55-395af5444b96", + "created": "2023-09-29T17:42:29.179Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:05:24.632Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -54235,12 +61289,10 @@ "id": "relationship--f08d487a-7837-48f9-9301-fe0f9f144c92", "created": "2023-09-28T20:31:04.691Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:24.852Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -54248,36 +61300,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-28T15:27:20.209Z", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", @@ -54319,12 +61346,10 @@ "id": "relationship--f0d4d23c-2c8c-4731-9b81-7c86fed25b5d", "created": "2023-09-29T18:45:34.258Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:25.709Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -54332,30 +61357,11 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--f10611e9-4812-4780-a1d5-0ad537dd95fb", - "created": "2023-09-28T21:23:01.421Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:05:25.902Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", - "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--f130282b-f681-455f-966b-55829842be92", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Langer Stuxnet", @@ -54380,12 +61386,10 @@ "id": "relationship--f13dac1a-090b-40c6-9093-eb4abe0deba8", "created": "2023-09-28T21:24:22.815Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:26.315Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -54402,7 +61406,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--3ea60ac7-87a3-4033-9089-258941d8388a", "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", @@ -54436,33 +61439,47 @@ }, { "type": "relationship", - "id": "relationship--f19c34b2-ef3a-4581-b604-6639f501e32f", - "created": "2023-10-02T20:20:32.163Z", + "id": "relationship--f1745073-e18e-4d62-b439-1afb1ec472c9", + "created": "2026-04-22T13:28:16.417Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:05:26.944Z", - "description": "", + "modified": "2026-04-22T13:28:16.417Z", "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", - "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "source_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--f1c35b0c-c465-4f20-801a-b9b1fb088d94", + "created": "2026-04-22T18:58:07.201Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T18:58:07.201Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--f1edb034-6dc6-4d6c-8f75-e2cd12213704", "created": "2023-09-29T17:07:38.219Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:27.174Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", @@ -54492,7 +61509,6 @@ "id": "relationship--f25c2744-e08f-4ea2-83c3-46a517ba4f4d", "created": "2025-09-29T19:09:04.156Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -54509,7 +61525,6 @@ "id": "relationship--f29ecf69-1753-44bb-9b80-1025f49cadda", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", @@ -54529,12 +61544,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--f3178f64-d0e9-4cd0-84a4-0b28c0fde4bc", + "created": "2026-04-22T16:41:35.915Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:41:35.915Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--f347b4fe-d829-427d-851a-fff3393441db", "created": "2021-04-12T07:57:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Joe Slowik August 2019", @@ -54559,12 +61590,10 @@ "id": "relationship--f353e8ec-0766-4fbd-86b7-9ea06b52958b", "created": "2023-09-28T21:23:51.038Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:28.414Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -54572,6 +61601,40 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--f3dbd66f-cfdb-488e-924f-a5cdc27d3a11", + "created": "2026-04-22T21:40:49.547Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:40:49.547Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--f3fab39f-864a-458a-b7dd-9ed38cfaa0e1", + "created": "2026-04-22T13:54:59.989Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T13:54:59.989Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48", @@ -54594,7 +61657,6 @@ "id": "relationship--f448969e-217d-4946-bede-6c85dc1b123f", "created": "2025-09-29T19:48:41.376Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -54611,7 +61673,6 @@ "id": "relationship--f45c2df8-30e7-45d0-8067-7b2870767574", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -54643,28 +61704,26 @@ }, { "type": "relationship", - "id": "relationship--f4afb180-4b30-4ed1-b094-3d74d8fd0cf1", - "created": "2023-09-28T19:49:56.464Z", + "id": "relationship--f4b94abb-3b81-4c92-8bd1-0fed105ece14", + "created": "2023-09-28T19:37:35.485Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:05:29.445Z", - "description": "", + "modified": "2025-04-16T23:03:49.479Z", "relationship_type": "targets", - "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--f4cae3bb-a699-43a6-9dae-fd3acac9551e", "created": "2025-09-24T18:19:38.546Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -54681,12 +61740,10 @@ "id": "relationship--f531e763-3550-40ba-a6a1-81e208ca12c6", "created": "2023-09-29T16:41:06.217Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:29.887Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -54696,15 +61753,30 @@ }, { "type": "relationship", - "id": "relationship--f5621ad9-c905-42e3-b59b-e0ae7b9051c7", - "created": "2023-09-28T21:26:23.361Z", + "id": "relationship--f5337891-61a3-4f24-a00a-8064a7ab4447", + "created": "2025-09-29T19:05:22.195Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-09-29T19:05:22.195Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--f5621ad9-c905-42e3-b59b-e0ae7b9051c7", + "created": "2023-09-28T21:26:23.361Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:05:30.071Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -54717,7 +61789,6 @@ "id": "relationship--f584a257-c22a-434b-aa2d-6220987821ab", "created": "2021-10-13T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Jos Wetzels January 2018", @@ -54742,12 +61813,10 @@ "id": "relationship--f5c91d82-5f7c-4e40-a85a-4f1909ae5545", "created": "2023-09-29T18:44:50.280Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:30.485Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -54755,35 +61824,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--f5c9f641-a498-46b5-9068-39502db53cfd", - "created": "2023-09-28T20:10:55.590Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:05:30.721Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", - "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--f61944a4-fef5-4989-bc3d-68f86e65d7d4", "created": "2023-09-29T17:04:55.720Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:30.913Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", @@ -54791,24 +61840,6 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--f61e474c-d7be-411e-a30e-0a1ef872fe51", - "created": "2023-09-29T17:05:20.132Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-16T23:05:31.104Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", - "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--f6320c84-adfe-4a26-b33c-2b29ebd1337f", @@ -54818,7 +61849,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--c4777f1a-1481-4e8a-a3f4-0da57418c808", "target_ref": "attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163", @@ -54826,12 +61856,36 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--f65823c1-211b-40bf-a622-407bb511cb3d", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "DHS CISA February 2019", + "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:03:40.724Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) is able to read, write and execute code in memory on the safety controller at an arbitrary address within the devices firmware region. This allows the malware to make changes to the running firmware in memory and modify how the device operates. (Citation: DHS CISA February 2019)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--f65a8ce8-90fa-4d92-a0dc-3ee544c541fe", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos", @@ -54856,12 +61910,10 @@ "id": "relationship--f65fa052-5ad0-4fc3-b579-ee33d1225659", "created": "2023-09-28T19:55:58.229Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:31.516Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -54871,15 +61923,29 @@ }, { "type": "relationship", - "id": "relationship--f691dde5-bb2d-411b-a381-b33e0ab673d6", - "created": "2023-09-28T20:12:09.661Z", + "id": "relationship--f6794183-bbc5-4c36-a597-fd49d4957c2b", + "created": "2026-04-20T20:58:51.348Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-20T20:58:51.348Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--f691dde5-bb2d-411b-a381-b33e0ab673d6", + "created": "2023-09-28T20:12:09.661Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:05:31.952Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", @@ -54892,7 +61958,6 @@ "id": "relationship--f6bc7a24-c3e5-465c-ad71-52087cbff920", "created": "2025-09-29T19:12:16.231Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -54904,12 +61969,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--f6e405c4-77e2-4bf3-8313-279aea9f0025", + "created": "2026-04-22T16:41:01.640Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:41:01.640Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--bb553fda-8355-40bc-87c6-5ae25124fa95", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--f6ff74c2-d088-4252-a8e0-189574863765", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -54941,15 +62022,31 @@ }, { "type": "relationship", - "id": "relationship--f7215c1f-7bd7-41bd-8466-76caac225c7c", - "created": "2023-09-29T16:45:42.977Z", + "id": "relationship--f710e99a-dfe9-4b2b-8b1b-97ab1c9d65f3", + "created": "2026-04-22T17:50:53.396Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-23T16:18:54.342Z", + "description": "Review the integrity of project files to verify they have not been modified by adversary behavior. Verify a cryptographic hash for the file with a known trusted version, or look for other indicators of modification (e.g., timestamps).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--354ca909-b54d-4c41-b597-9c296b344a43", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--f7215c1f-7bd7-41bd-8466-76caac225c7c", + "created": "2023-09-29T16:45:42.977Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:05:32.577Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", @@ -54962,12 +62059,10 @@ "id": "relationship--f72a7a30-bab4-445b-b226-d5c3cd1a5846", "created": "2023-09-29T18:47:39.450Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:32.808Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", @@ -54975,12 +62070,29 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--f76dd26b-2aa3-4fc3-bdef-ddd0632d851b", + "created": "2026-04-22T13:30:44.280Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:20:25.188Z", + "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--f79d44ae-f971-484a-973b-e0cab972681d", "created": "2025-09-29T19:52:32.636Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -54994,28 +62106,27 @@ }, { "type": "relationship", - "id": "relationship--f7bdbc1f-d08c-48a0-a474-a79b91526138", - "created": "2023-09-28T20:31:31.498Z", + "id": "relationship--f7a466c2-acdf-49b1-9906-41388f7a5238", + "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:05:32.996Z", - "description": "", - "relationship_type": "targets", - "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "modified": "2025-04-28T15:24:35.268Z", + "description": "Devices should authenticate all messages between master and outstation assets.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--f7c5bd1b-c596-41b2-b415-2bf5179667df", "created": "2023-09-27T14:58:21.360Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", @@ -55045,7 +62156,6 @@ "id": "relationship--f7c641d2-3528-4b4a-9612-85827eb0fff8", "created": "2024-11-20T23:29:22.542Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos FROSTYGOOP 2024", @@ -55070,12 +62180,10 @@ "id": "relationship--f7d672f6-993b-4036-961d-f6e22e94446c", "created": "2024-04-09T20:48:30.734Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:33.625Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", @@ -55088,7 +62196,6 @@ "id": "relationship--f8318ac4-8ed0-478d-be87-faa2c9d8a740", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Eduard Kovacs May 2018", @@ -55113,12 +62220,10 @@ "id": "relationship--f8456c9b-a4a5-4f13-94e3-54c787b21089", "created": "2023-09-28T20:16:40.519Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:34.045Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -55143,12 +62248,29 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--f86bc28e-6293-411e-8bbe-2e2717286529", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-28T15:24:44.608Z", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--f86bde61-c4ec-4d40-9768-32e9b52c1702", "created": "2023-03-22T15:52:30.607Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "PLCTop20 Mar 2023", @@ -55173,7 +62295,6 @@ "id": "relationship--f9164f95-51d4-4b6c-92d8-0cafe4b97e6c", "created": "2025-09-24T18:13:30.126Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -55190,12 +62311,10 @@ "id": "relationship--f92764db-a880-4726-9d28-a035170f790c", "created": "2023-09-28T21:22:35.236Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:34.905Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -55203,34 +62322,15 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, - { - "type": "relationship", - "id": "relationship--f951d934-d555-45e9-a564-27b84518cae4", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2025-04-28T15:27:26.405Z", - "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" - }, { "type": "relationship", "id": "relationship--f9907fb1-976b-4f51-ac13-b45f2ff9452b", "created": "2023-09-28T19:48:37.072Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:35.518Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -55281,7 +62381,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--ab3f0926-58e2-485e-987c-66b541d9de97", "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", @@ -55289,12 +62388,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--f9ee9476-5487-4535-93fd-6b0cbbda0471", + "created": "2023-09-28T20:02:45.697Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:01:32.818Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--fa1bde35-63d9-4c5c-969b-2c17c29089fa", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -55307,6 +62422,23 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--fa391554-a3c0-4b89-9083-a53d299c5fad", + "created": "2023-09-29T16:39:18.448Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:05:20.202Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--faa5ba6b-bbc4-47ab-a737-6dc1d8b31efd", @@ -55316,7 +62448,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--7f41ed29-fdc6-4c28-ba10-9de1aa129f7e", "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", @@ -55329,12 +62460,10 @@ "id": "relationship--fac4bc88-af9b-4eec-b041-e4138b49c3c0", "created": "2023-09-29T16:28:04.180Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:36.593Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", @@ -55347,7 +62476,6 @@ "id": "relationship--fad25140-73de-40d5-a010-3464188db973", "created": "2023-09-25T20:51:07.162Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -55365,12 +62493,10 @@ "id": "relationship--fadbdca3-3c98-497c-a156-e53b89664359", "created": "2023-09-28T20:16:55.038Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:37.012Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", @@ -55378,12 +62504,36 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--fadc8348-837b-4d7d-91a2-679117e5fd7b", + "created": "2026-04-22T20:11:46.591Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:22:08.533Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries remotely executed commands on systems using [PsExec](https://attack.mitre.org/software/S0029) to gather information about running processes, network connections, routing tables, ARP cache, and contents of user directories.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--faf163b6-4e35-43d6-9c0c-83d91d215854", "created": "2024-09-11T22:57:39.900Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Claroty Fuxnet 2024", @@ -55408,7 +62558,6 @@ "id": "relationship--fb4ee993-feb0-414f-b724-6ba392b1e560", "created": "2025-09-29T19:10:44.136Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -55422,15 +62571,48 @@ }, { "type": "relationship", - "id": "relationship--fc189fa0-1235-46ac-a802-f226dc0ec4e1", - "created": "2023-09-29T17:38:28.664Z", + "id": "relationship--fb8530c7-b6d7-44be-851e-1eb773f47e72", + "created": "2026-04-22T16:41:15.170Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T16:41:15.170Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--fc02e858-0e4d-462c-8f66-f7289677c559", + "created": "2026-04-22T17:51:53.280Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T16:19:51.453Z", + "description": "Ensure permissions restrict project file access to only engineer and technician user groups and accounts.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "target_ref": "attack-pattern--354ca909-b54d-4c41-b597-9c296b344a43", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--fc189fa0-1235-46ac-a802-f226dc0ec4e1", + "created": "2023-09-29T17:38:28.664Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:05:37.622Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", @@ -55447,7 +62629,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--87493fa2-bb78-4e28-b882-d79eecd10740", "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", @@ -55460,7 +62641,6 @@ "id": "relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Eduard Kovacs May 2018", @@ -55485,7 +62665,6 @@ "id": "relationship--fc508fcc-6f19-44da-bbc0-de6aaa627d04", "created": "2025-09-29T19:16:18.456Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -55497,6 +62676,58 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--fc77a4bc-1383-492a-a04b-9062345ced53", + "created": "2026-04-22T16:06:19.136Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:49:59.483Z", + "description": "Filter for protocols and payloads associated with firmware activation or updating activity.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--fc8e2629-c7ea-4b3c-b614-edde1a700f27", + "created": "2026-04-22T20:16:16.558Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:16:16.558Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--fcb02e3f-3a41-46fc-8014-f1e95b14e28a", + "created": "2026-04-22T21:38:15.078Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:38:15.079Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041", @@ -55519,12 +62750,10 @@ "id": "relationship--fcba6a58-72b0-4d54-a887-740624e22f6f", "created": "2024-03-26T15:42:36.840Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:38.920Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", @@ -55532,6 +62761,31 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--fcc33052-42c2-485c-903c-cd86e5a87f34", + "created": "2022-09-28T20:26:09.928Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-04-16T23:01:26.160Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can login to Omron PLCs using hardcoded credentials, which is documented in CVE-2022-34151.(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--6b335943-c3af-430e-a135-ab09623bdc20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0", @@ -55554,7 +62808,6 @@ "id": "relationship--fcd7c2bf-638e-409f-bc36-fff28c3cc68f", "created": "2025-09-29T19:03:28.185Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -55566,12 +62819,28 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" }, + { + "type": "relationship", + "id": "relationship--fcdf1912-dfc8-4cc3-92de-c6689353dd8e", + "created": "2026-04-23T00:29:11.945Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:29:11.945Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "type": "relationship", "id": "relationship--fd1bde9f-b2a5-48e2-ac92-cb6097040a71", "created": "2025-09-24T18:04:32.387Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -55588,7 +62857,6 @@ "id": "relationship--fd1f3d4e-825f-4b25-aaf7-c82823ccf341", "created": "2025-09-24T18:22:03.083Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -55605,12 +62873,10 @@ "id": "relationship--fd309395-8fcc-402c-9227-90ac897fd602", "created": "2024-03-26T15:41:39.905Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:39.554Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -55623,12 +62889,10 @@ "id": "relationship--fd3bc308-82cd-49c9-a41e-9b19ce04b3cd", "created": "2023-10-02T20:23:41.227Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:39.770Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", @@ -55638,40 +62902,71 @@ }, { "type": "relationship", - "id": "relationship--fd7247a4-b299-4948-a3b0-9b43f4f41ae0", - "created": "2024-03-28T14:29:46.095Z", + "id": "relationship--fd52f382-115f-483a-82c1-bb31fe5d5eb6", + "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "FireEye TRITON 2018", - "description": "Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved November 17, 2024.", - "url": "https://web.archive.org/web/20200618231942/https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html" + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + }, + { + "source_name": "Dwight Anderson 2014", + "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" + }, + { + "source_name": "Karen Scarfone; Paul Hoffman September 2009", + "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", + "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" + }, + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:05:39.957Z", - "description": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) leveraged [Triton](https://attack.mitre.org/software/S1009) to send unauthorized command messages to the Triconex safety controllers.(Citation: FireEye TRITON 2018)", - "relationship_type": "uses", - "source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "modified": "2026-04-23T19:00:47.255Z", + "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment.(Citation: Karen Scarfone; Paul Hoffman September 2009)(Citation: Keith Stouffer May 2015)(Citation: Department of Homeland Security September 2016)(Citation: Dwight Anderson 2014) \n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--fd8cd074-9e66-45f3-b41f-71f7aaf00ee6", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2025-12-24T17:46:05.669Z", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" }, { "type": "relationship", "id": "relationship--fdc20415-c9a1-405e-80af-3d297894e8fa", "created": "2023-09-28T19:58:30.849Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:40.401Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -55681,15 +62976,30 @@ }, { "type": "relationship", - "id": "relationship--fe22f626-ddf3-4d5e-97d1-058878d7830f", - "created": "2023-09-28T21:10:39.025Z", + "id": "relationship--fe19d9d1-a560-425d-a41a-a643199aa79b", + "created": "2026-04-22T20:33:11.987Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-04-22T20:33:11.987Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--c4ddc0d7-0296-4d92-9ae1-1a4b7b5d1640", + "target_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, + { + "type": "relationship", + "id": "relationship--fe22f626-ddf3-4d5e-97d1-058878d7830f", + "created": "2023-09-28T21:10:39.025Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "modified": "2025-04-16T23:05:40.807Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", @@ -55702,12 +63012,10 @@ "id": "relationship--fe265dd7-2c1a-4c75-8aa8-12d0c82c7926", "created": "2023-09-28T21:26:59.998Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:41.023Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -55720,7 +63028,6 @@ "id": "relationship--fe3bd9f0-2cdb-420d-88fa-352125bd7f28", "created": "2025-09-24T18:22:16.837Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -55737,7 +63044,6 @@ "id": "relationship--feb32f07-00f0-404f-920d-8891be40b655", "created": "2025-09-29T19:08:19.567Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -55754,12 +63060,10 @@ "id": "relationship--ff021e27-63be-41f4-bc4d-2ce75d8a3ecb", "created": "2023-09-28T19:56:26.241Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:41.267Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", @@ -55772,12 +63076,10 @@ "id": "relationship--ff107632-751b-4efb-86bd-af670b48d35d", "created": "2023-09-28T21:21:30.387Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:41.468Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", @@ -55807,7 +63109,6 @@ "id": "relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b", "created": "2017-05-31T21:33:27.074Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Joe Slowik April 2019", @@ -55827,12 +63128,29 @@ "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0" }, + { + "type": "relationship", + "id": "relationship--ffd2ae1d-6c1d-4d27-8cf0-bc745100bba7", + "created": "2026-04-22T20:38:50.866Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:38:50.866Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + }, { "modified": "2025-03-19T15:00:40.855Z", "name": "The MITRE Corporation", - "description": "", "identity_class": "organization", "type": "identity", + "spec_version": "2.1", "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-06-01T00:00:00.000Z", "object_marking_refs": [ @@ -55842,10 +63160,11 @@ }, { "definition": { - "statement": "Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation." + "statement": "Copyright 2015-2026, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation." }, "id": "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168", "type": "marking-definition", + "spec_version": "2.1", "created": "2017-06-01T00:00:00.000Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "definition_type": "statement" diff --git a/ics-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json b/ics-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json index 710e0ef629..9688245f5c 100644 --- a/ics-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json +++ b/ics-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json @@ -1,14 +1,14 @@ { "type": "bundle", - "id": "bundle--a243a8e3-5df2-497e-b8b5-c359f1870076", + "id": "bundle--66089ef7-4182-4d16-8e75-1e92cc558968", "spec_version": "2.0", "objects": [ { "modified": "2025-03-19T15:00:40.855Z", "name": "The MITRE Corporation", - "description": "", "identity_class": "organization", "type": "identity", + "spec_version": "2.1", "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-06-01T00:00:00.000Z", "object_marking_refs": [ diff --git a/ics-attack/intrusion-set/intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340.json b/ics-attack/intrusion-set/intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340.json index 884d9a6539..d48737683d 100644 --- a/ics-attack/intrusion-set/intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340.json +++ b/ics-attack/intrusion-set/intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340.json @@ -1,29 +1,11 @@ { "type": "bundle", - "id": "bundle--659e34af-9f92-4418-8f7a-8476623acb1c", + "id": "bundle--14cf2a99-0018-439e-b3f2-cfc832d2f491", "spec_version": "2.0", "objects": [ { - "modified": "2025-01-22T21:54:11.727Z", - "name": "APT38", - "description": "[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks against Bancomext (Citation: FireEye APT38 Oct 2018) and Banco de Chile (Citation: FireEye APT38 Oct 2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.", - "aliases": [ - "APT38", - "NICKEL GLADSTONE", - "BeagleBoyz", - "Bluenoroff", - "Stardust Chollima", - "Sapphire Sleet", - "COPERNICIUM" - ], - "x_mitre_deprecated": false, - "x_mitre_version": "3.1", - "x_mitre_contributors": [ - "Hiroki Nagahama, NEC Corporation", - "Manikantan Srinivasan, NEC Corporation India", - "Pooja Natarajan, NEC Corporation India" - ], "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340", "created": "2019-01-29T21:27:24.793Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -80,7 +62,7 @@ { "source_name": "FireEye APT38 Oct 2018", "description": "FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024.", - "url": "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf" + "url": "https://services.google.com/fh/files/misc/apt38-un-usual-suspects.pdf" }, { "source_name": "Kaspersky Lazarus Under The Hood Blog 2017", @@ -106,12 +88,31 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2025-11-13T19:21:05.133Z", + "name": "APT38", + "description": "[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks against Bancomext (Citation: FireEye APT38 Oct 2018) and Banco de Chile (Citation: FireEye APT38 Oct 2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.", + "aliases": [ + "APT38", + "NICKEL GLADSTONE", + "BeagleBoyz", + "Bluenoroff", + "Stardust Chollima", + "Sapphire Sleet", + "COPERNICIUM" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "3.1", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_contributors": [ + "Hiroki Nagahama, NEC Corporation", + "Manikantan Srinivasan, NEC Corporation India", + "Pooja Natarajan, NEC Corporation India" + ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" - ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/intrusion-set/intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae.json b/ics-attack/intrusion-set/intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae.json index c24229f9c7..f324654312 100644 --- a/ics-attack/intrusion-set/intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae.json +++ b/ics-attack/intrusion-set/intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--580b7b33-fd08-46ed-ae1f-2f4b7b28e2b9", + "id": "bundle--33c9b839-59e0-4de0-9014-3f9480947120", "spec_version": "2.0", "objects": [ { "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", "created": "2017-05-31T21:31:57.307Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -33,13 +34,13 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Dragos Threat Intelligence" + ], + "x_mitre_domains": [ + "ics-attack" ] } ] diff --git a/ics-attack/intrusion-set/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json b/ics-attack/intrusion-set/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json index a50c9d7752..d7aeda52bc 100644 --- a/ics-attack/intrusion-set/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json +++ b/ics-attack/intrusion-set/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c4e2790a-c05a-46d0-bcac-402297753165", + "id": "bundle--b012cbe3-f08d-4d13-b2dd-fce52afd1aa6", "spec_version": "2.0", "objects": [ { @@ -25,6 +25,7 @@ "Dragos Threat Intelligence" ], "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "created": "2017-05-31T21:32:05.217Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -149,12 +150,12 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "enterprise-attack", "ics-attack" - ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/intrusion-set/intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json b/ics-attack/intrusion-set/intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json index a8a2c58f05..0190d24754 100644 --- a/ics-attack/intrusion-set/intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json +++ b/ics-attack/intrusion-set/intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--11d56de2-2672-473f-bbf1-c47f9042e771", + "id": "bundle--fa0723e9-795d-45fe-a11b-7596b013e8cb", "spec_version": "2.0", "objects": [ { @@ -22,6 +22,7 @@ "Drew Church, Splunk" ], "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "created": "2017-05-31T21:32:06.015Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -90,12 +91,12 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "enterprise-attack", "ics-attack" - ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/intrusion-set/intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc.json b/ics-attack/intrusion-set/intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc.json index 49c3c8fb88..b4fd5ae396 100644 --- a/ics-attack/intrusion-set/intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc.json +++ b/ics-attack/intrusion-set/intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--7e8be987-6c15-488d-8145-94b0c5f6a856", + "id": "bundle--a6ae1669-8577-43bf-bd00-bd8231f0afc9", "spec_version": "2.0", "objects": [ { "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", "created": "2017-05-31T21:32:09.460Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json b/ics-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json index 30058680e7..de10fe150a 100644 --- a/ics-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json +++ b/ics-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0b1f1f25-7d42-4dc3-a998-daf26d4fc293", + "id": "bundle--3d8737bf-639a-4c78-86da-8143e07cbf2d", "spec_version": "2.0", "objects": [ { @@ -27,6 +27,7 @@ "Hakan KARABACAK" ], "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "created": "2017-05-31T21:32:04.588Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -160,13 +161,13 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "enterprise-attack", "ics-attack", "mobile-attack" - ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/intrusion-set/intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d.json b/ics-attack/intrusion-set/intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d.json index 4c17f0ea0b..8e82254304 100644 --- a/ics-attack/intrusion-set/intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d.json +++ b/ics-attack/intrusion-set/intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d5a9172a-7e06-4ad4-9ab2-773172fad910", + "id": "bundle--595bd864-d5b3-42db-be7c-eafe31640c60", "spec_version": "2.0", "objects": [ { @@ -30,6 +30,7 @@ "Jaesang Oh, KC7 Foundation" ], "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -172,12 +173,12 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "enterprise-attack", "ics-attack" - ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/intrusion-set/intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6.json b/ics-attack/intrusion-set/intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6.json index 6ead20a0e5..9c09cebcdb 100644 --- a/ics-attack/intrusion-set/intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6.json +++ b/ics-attack/intrusion-set/intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--78ebb63d-ce84-4ce9-af73-f93771e4084f", + "id": "bundle--f4e1b6de-d652-469b-90a1-f0fb2c06caf2", "spec_version": "2.0", "objects": [ { "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6", "created": "2018-01-16T16:13:52.465Z", "revoked": true, @@ -22,11 +23,11 @@ "name": "APT34", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": [ "ics-attack" - ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + ] } ] } \ No newline at end of file diff --git a/ics-attack/intrusion-set/intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71.json b/ics-attack/intrusion-set/intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71.json index 12d3c7a36d..408e3e72d8 100644 --- a/ics-attack/intrusion-set/intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71.json +++ b/ics-attack/intrusion-set/intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--483f745f-a894-437c-bc7e-c0b5d52ba628", + "id": "bundle--84b6e51b-2ffe-4dae-8584-8964daef2e67", "spec_version": "2.0", "objects": [ { "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/intrusion-set/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json b/ics-attack/intrusion-set/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json index 7f66a11b5d..3bc8bd90c3 100644 --- a/ics-attack/intrusion-set/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json +++ b/ics-attack/intrusion-set/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a4ee975d-17c1-4263-964c-d0a0bfe0b098", + "id": "bundle--ca86a3aa-1e42-4505-a6b9-28697dbe6172", "spec_version": "2.0", "objects": [ { @@ -17,6 +17,7 @@ "Dragos Threat Intelligence" ], "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", "created": "2019-04-16T15:14:38.533Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -64,12 +65,12 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "enterprise-attack", "ics-attack" - ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/intrusion-set/intrusion-set--a07a367a-146c-45a8-a830-d3d337b9befa.json b/ics-attack/intrusion-set/intrusion-set--a07a367a-146c-45a8-a830-d3d337b9befa.json index cbdc540caa..491401b234 100644 --- a/ics-attack/intrusion-set/intrusion-set--a07a367a-146c-45a8-a830-d3d337b9befa.json +++ b/ics-attack/intrusion-set/intrusion-set--a07a367a-146c-45a8-a830-d3d337b9befa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0c394f01-3f99-4f45-a131-931ff4c6b37a", + "id": "bundle--c59ed501-7ac3-406e-a7e4-05063b8ff66d", "spec_version": "2.0", "objects": [ { @@ -14,6 +14,7 @@ "x_mitre_deprecated": false, "x_mitre_version": "1.0", "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--a07a367a-146c-45a8-a830-d3d337b9befa", "created": "2024-03-25T19:57:07.829Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -37,11 +38,11 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "ics-attack" - ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/intrusion-set/intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133.json b/ics-attack/intrusion-set/intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133.json index 89b16ebc95..ac99781611 100644 --- a/ics-attack/intrusion-set/intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133.json +++ b/ics-attack/intrusion-set/intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--9ba036e0-d630-4836-b747-1e95822043dc", + "id": "bundle--d9e7bf4d-666e-47bc-8783-365d088d5c7c", "spec_version": "2.0", "objects": [ { "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133", "created": "2020-09-22T19:41:27.845Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -52,14 +53,14 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" - ], "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": [ "Thijn Bukkems, Amazon" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" ] } ] diff --git a/ics-attack/intrusion-set/intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a.json b/ics-attack/intrusion-set/intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a.json index 60215dca09..d5e4152e0c 100644 --- a/ics-attack/intrusion-set/intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a.json +++ b/ics-attack/intrusion-set/intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--20e1b460-09da-4bbd-aeb9-12ff7a789271", + "id": "bundle--cd0e9196-8244-4fcb-b41b-6b21a9cdbea1", "spec_version": "2.0", "objects": [ { "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "created": "2017-05-31T21:32:03.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/intrusion-set/intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7.json b/ics-attack/intrusion-set/intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7.json index 28e2c16401..c8631a2be8 100644 --- a/ics-attack/intrusion-set/intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7.json +++ b/ics-attack/intrusion-set/intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7.json @@ -1,30 +1,11 @@ { "type": "bundle", - "id": "bundle--7f45cb31-fd91-48eb-bbc5-0e11607c184f", + "id": "bundle--77252d38-84c0-4fd2-ae1e-88f4f9c846ff", "spec_version": "2.0", "objects": [ { - "modified": "2025-03-12T20:33:21.597Z", - "name": "Wizard Spider", - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)", - "aliases": [ - "Wizard Spider", - "UNC1878", - "TEMP.MixMaster", - "Grim Spider", - "FIN12", - "GOLD BLACKBURN", - "ITG23", - "Periwinkle Tempest", - "DEV-0193" - ], - "x_mitre_deprecated": false, - "x_mitre_version": "4.0", - "x_mitre_contributors": [ - "Edward Millington", - "Oleksiy Gayda" - ], "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", "created": "2020-05-12T18:15:29.396Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -63,6 +44,14 @@ "source_name": "DEV-0193", "description": "(Citation: Microsoft Threat Actor Naming July 2023)" }, + { + "source_name": "Pistachio Tempest", + "description": "(Citation: Microsoft_PistachioTempest_Jan2024)" + }, + { + "source_name": "DEV-0237", + "description": "(Citation: Microsoft_PistachioTempest_Jan2024)" + }, { "source_name": "GOLD BLACKBURN", "description": "(Citation: Secureworks Gold Blackburn Mar 2022)" @@ -97,6 +86,11 @@ "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" }, + { + "source_name": "Microsoft_PistachioTempest_Jan2024", + "description": "Microsoft. (2024, January 25). Financially Motivated Threat Actor Pistachio Tempest. Retrieved December 15, 2025.", + "url": "https://www.microsoft.com/en-us/security/security-insider/threat-landscape/pistachio-tempest" + }, { "source_name": "CrowdStrike Wizard Spider October 2020", "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.", @@ -110,7 +104,7 @@ { "source_name": "Mandiant FIN12 Oct 2021", "description": "Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.", - "url": "https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" + "url": "https://web.archive.org/web/20220313061955/https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" }, { "source_name": "IBM X-Force ITG23 Oct 2021", @@ -121,12 +115,34 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2026-01-20T16:26:04.859Z", + "name": "Wizard Spider", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)", + "aliases": [ + "Wizard Spider", + "UNC1878", + "TEMP.MixMaster", + "Grim Spider", + "FIN12", + "GOLD BLACKBURN", + "ITG23", + "Periwinkle Tempest", + "DEV-0193", + "Pistachio Tempest", + "DEV-0237" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "4.1", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_contributors": [ + "Edward Millington", + "Oleksiy Gayda" + ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" - ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/intrusion-set/intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3.json b/ics-attack/intrusion-set/intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3.json index f3f8391610..dc00f28b80 100644 --- a/ics-attack/intrusion-set/intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3.json +++ b/ics-attack/intrusion-set/intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--99668f3d-2145-43b0-9714-2b6dce53e44f", + "id": "bundle--50087d5d-dd0c-440a-81f4-5a77c70d2981", "spec_version": "2.0", "objects": [ { @@ -20,6 +20,7 @@ "Mindaugas Gudzis, BT Security" ], "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -71,12 +72,12 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "enterprise-attack", "ics-attack" - ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/intrusion-set/intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f.json b/ics-attack/intrusion-set/intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f.json index 6188497c94..bc4b6d510f 100644 --- a/ics-attack/intrusion-set/intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f.json +++ b/ics-attack/intrusion-set/intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3b7beba0-2f08-436e-95fc-79dae23481a7", + "id": "bundle--d6641d0a-0f62-4fd6-b7c6-f6feee5c806a", "spec_version": "2.0", "objects": [ { @@ -19,6 +19,7 @@ "Dragos Threat Intelligence" ], "type": "intrusion-set", + "spec_version": "2.1", "id": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -74,12 +75,12 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "ics-attack", "enterprise-attack" - ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/malware/malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5.json b/ics-attack/malware/malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5.json index 08b69a124e..17258a9b88 100644 --- a/ics-attack/malware/malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5.json +++ b/ics-attack/malware/malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--15035f56-650d-4ef4-b6f0-a801c0f51723", + "id": "bundle--6f231f37-566c-446c-9a03-e44f63fe8859", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--083bb47b-02c8-4423-81a2-f9ef58572974.json b/ics-attack/malware/malware--083bb47b-02c8-4423-81a2-f9ef58572974.json index 16461d0500..7670e5c8b7 100644 --- a/ics-attack/malware/malware--083bb47b-02c8-4423-81a2-f9ef58572974.json +++ b/ics-attack/malware/malware--083bb47b-02c8-4423-81a2-f9ef58572974.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--118473cb-c5c6-4387-91c8-bd8a178e1e99", + "id": "bundle--47112adb-cf9a-4b1f-b0d7-19e34913c008", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--088f1d6e-0783-47c6-9923-9c79b2af43d4.json b/ics-attack/malware/malware--088f1d6e-0783-47c6-9923-9c79b2af43d4.json index 317613cbe3..a216e4308b 100644 --- a/ics-attack/malware/malware--088f1d6e-0783-47c6-9923-9c79b2af43d4.json +++ b/ics-attack/malware/malware--088f1d6e-0783-47c6-9923-9c79b2af43d4.json @@ -1,25 +1,9 @@ { "type": "bundle", - "id": "bundle--e9b7fc25-2e7f-4a73-aa37-00d9a47af868", + "id": "bundle--a0d9c2b4-bb7a-4910-8225-e578a5e0050c", "spec_version": "2.0", "objects": [ { - "modified": "2025-01-02T19:40:26.678Z", - "name": "Stuxnet", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) ", - "x_mitre_platforms": [ - "Windows" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" - ], - "x_mitre_version": "1.4", - "x_mitre_aliases": [ - "Stuxnet", - "W32.Stuxnet" - ], "type": "malware", "id": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", "created": "2020-12-14T17:34:58.457Z", @@ -59,8 +43,24 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", + "modified": "2026-04-24T02:36:25.135Z", + "name": "Stuxnet", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex malware that utilized multiple behaviors, including numerous zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.5", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_aliases": [ + "Stuxnet", + "W32.Stuxnet" + ], "labels": [ "malware" ] diff --git a/ics-attack/malware/malware--1d8dccb3-e779-4702-aeb1-6627a22cc585.json b/ics-attack/malware/malware--1d8dccb3-e779-4702-aeb1-6627a22cc585.json index 7282a8c456..5b7df4d305 100644 --- a/ics-attack/malware/malware--1d8dccb3-e779-4702-aeb1-6627a22cc585.json +++ b/ics-attack/malware/malware--1d8dccb3-e779-4702-aeb1-6627a22cc585.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--686da944-5020-4f57-b855-2994af08f088", + "id": "bundle--0981112d-3c0d-49fb-bb08-884132d7eab4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec.json b/ics-attack/malware/malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec.json index 88ebac4a1f..eecdd25731 100644 --- a/ics-attack/malware/malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec.json +++ b/ics-attack/malware/malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--33fa46ae-7b62-43ba-b047-dbed11eee620", + "id": "bundle--045906d0-031f-4c2a-b0ae-f9c38a12e399", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a.json b/ics-attack/malware/malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a.json index aa26daa1cd..36676ffd98 100644 --- a/ics-attack/malware/malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a.json +++ b/ics-attack/malware/malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--982eb1b5-a9a7-4d11-b30a-4c69e4be4d6c", + "id": "bundle--ef0ef723-6ac9-4621-9a95-64ce1ee49228", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--496bff4d-0700-4b28-b06f-f30a63002be7.json b/ics-attack/malware/malware--496bff4d-0700-4b28-b06f-f30a63002be7.json index a77c0c9cdc..906fd197af 100644 --- a/ics-attack/malware/malware--496bff4d-0700-4b28-b06f-f30a63002be7.json +++ b/ics-attack/malware/malware--496bff4d-0700-4b28-b06f-f30a63002be7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bfed4c61-80be-476b-b0a3-2b9063a3329b", + "id": "bundle--644762a0-7b0b-45f6-8f98-55efd89bcdb7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--49c04994-1035-4b58-89b7-cf8956e3b423.json b/ics-attack/malware/malware--49c04994-1035-4b58-89b7-cf8956e3b423.json index 2bb7c2e243..6bc989f68f 100644 --- a/ics-attack/malware/malware--49c04994-1035-4b58-89b7-cf8956e3b423.json +++ b/ics-attack/malware/malware--49c04994-1035-4b58-89b7-cf8956e3b423.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3180090a-bbe5-4d0b-a17b-a38dd3436f3b", + "id": "bundle--d6449595-256c-4f92-8222-04f762375938", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe.json b/ics-attack/malware/malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe.json index 53a794a3b1..576d45438f 100644 --- a/ics-attack/malware/malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe.json +++ b/ics-attack/malware/malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7881ac7e-83b0-4016-8937-2a42bbf13910", + "id": "bundle--b964d501-00b5-4481-87da-839e4df95ea4", "spec_version": "2.0", "objects": [ { @@ -29,7 +29,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:24.423Z", + "modified": "2026-04-23T14:17:13.861Z", "name": "PLC-Blaster", "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) is a piece of proof-of-concept malware that runs on Siemens S7 PLCs. This worm locates other Siemens S7 PLCs on the network and attempts to infect them. Once this worm has infected its target and attempted to infect other devices on the network, the worm can then run one of many modules. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016) (Citation: Spenneberg, Ralf 2016) ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -37,8 +37,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0", "x_mitre_aliases": [ "PLC-Blaster" ], diff --git a/ics-attack/malware/malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4.json b/ics-attack/malware/malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4.json index 29504b3518..cb0caf02d9 100644 --- a/ics-attack/malware/malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4.json +++ b/ics-attack/malware/malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6b6b2404-7bca-431f-8e55-f639c075359b", + "id": "bundle--5ab37b2c-e92d-4b68-a35a-865c8834bb63", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--5719af9d-6b16-46f9-9b28-fb019541ddbb.json b/ics-attack/malware/malware--5719af9d-6b16-46f9-9b28-fb019541ddbb.json index 8162b8a336..bd2013e6b6 100644 --- a/ics-attack/malware/malware--5719af9d-6b16-46f9-9b28-fb019541ddbb.json +++ b/ics-attack/malware/malware--5719af9d-6b16-46f9-9b28-fb019541ddbb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6ea255d0-50e0-4605-a7a0-a8ccf6ec7aaf", + "id": "bundle--a129737f-0360-4a87-85c5-7180071f8273", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55.json b/ics-attack/malware/malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55.json index 208b180200..cd2d981e1c 100644 --- a/ics-attack/malware/malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55.json +++ b/ics-attack/malware/malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--00017d41-8b00-4478-b3a3-b3e91da9bc9a", + "id": "bundle--d752a6c3-1d78-4f65-abb1-4fff9390b819", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--5af7a825-2d9f-400d-931a-e00eb9e27f48.json b/ics-attack/malware/malware--5af7a825-2d9f-400d-931a-e00eb9e27f48.json index 8116eac898..a4a4a03129 100644 --- a/ics-attack/malware/malware--5af7a825-2d9f-400d-931a-e00eb9e27f48.json +++ b/ics-attack/malware/malware--5af7a825-2d9f-400d-931a-e00eb9e27f48.json @@ -1,27 +1,9 @@ { "type": "bundle", - "id": "bundle--927827a6-fc2a-4bb1-9ebb-fff4e3cacd6b", + "id": "bundle--d2902c2a-48aa-41c4-ba17-242b7c2a2b62", "spec_version": "2.0", "objects": [ { - "modified": "2023-10-17T20:05:34.648Z", - "name": "LockerGoga", - "description": "[LockerGoga](https://attack.mitre.org/software/S0372) is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019)", - "x_mitre_platforms": [ - "Windows" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" - ], - "x_mitre_version": "2.0", - "x_mitre_contributors": [ - "Joe Slowik - Dragos" - ], - "x_mitre_aliases": [ - "LockerGoga" - ], "type": "malware", "id": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", "created": "2019-04-16T19:00:49.435Z", @@ -47,8 +29,26 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", + "modified": "2026-04-22T22:21:12.036Z", + "name": "LockerGoga", + "description": "[LockerGoga](https://attack.mitre.org/software/S0372) is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "2.1", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_contributors": [ + "Joe Slowik - Dragos" + ], + "x_mitre_aliases": [ + "LockerGoga" + ], "labels": [ "malware" ] diff --git a/ics-attack/malware/malware--6108f800-10b8-4090-944e-be579f01263d.json b/ics-attack/malware/malware--6108f800-10b8-4090-944e-be579f01263d.json index 2b62c1932a..8395feb2c8 100644 --- a/ics-attack/malware/malware--6108f800-10b8-4090-944e-be579f01263d.json +++ b/ics-attack/malware/malware--6108f800-10b8-4090-944e-be579f01263d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6417d3fc-f5c1-4a66-a689-9ad3213b3fb6", + "id": "bundle--e00159b2-89cb-4988-864d-168b0e859b8b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--68dca94f-c11d-421e-9287-7c501108e18c.json b/ics-attack/malware/malware--68dca94f-c11d-421e-9287-7c501108e18c.json index 0aaf3952af..5495bf9d95 100644 --- a/ics-attack/malware/malware--68dca94f-c11d-421e-9287-7c501108e18c.json +++ b/ics-attack/malware/malware--68dca94f-c11d-421e-9287-7c501108e18c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--618027bb-bfb9-4497-bc1a-de124d42a30c", + "id": "bundle--33b4e1eb-66c5-4d20-b807-fe09996bf390", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5.json b/ics-attack/malware/malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5.json index fdc7bf0d31..af0f506cfc 100644 --- a/ics-attack/malware/malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5.json +++ b/ics-attack/malware/malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ca4a6384-8db4-46d4-b322-9bc8c4de532b", + "id": "bundle--a1dadb8a-5762-45f5-a6e2-64cbe0d17f1a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--736a3b71-eccc-48b7-b5ed-adb2b74ca830.json b/ics-attack/malware/malware--736a3b71-eccc-48b7-b5ed-adb2b74ca830.json index e764dca19a..4ef12283f9 100644 --- a/ics-attack/malware/malware--736a3b71-eccc-48b7-b5ed-adb2b74ca830.json +++ b/ics-attack/malware/malware--736a3b71-eccc-48b7-b5ed-adb2b74ca830.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b5fe1f43-64b5-4225-8fb2-f106e68f7f0c", + "id": "bundle--e56a3e0f-7493-40a2-94f5-39c036253467", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661.json b/ics-attack/malware/malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661.json index de0e887d22..1ca41e8800 100644 --- a/ics-attack/malware/malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661.json +++ b/ics-attack/malware/malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bb8247d7-ee40-4752-9716-ab7e64d063bb", + "id": "bundle--d0b5568d-ed60-403d-af5e-a200c168935c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--80099a91-4c86-4bea-9ccb-dac55d61960e.json b/ics-attack/malware/malware--80099a91-4c86-4bea-9ccb-dac55d61960e.json index 27cb18cdf8..409ac85daf 100644 --- a/ics-attack/malware/malware--80099a91-4c86-4bea-9ccb-dac55d61960e.json +++ b/ics-attack/malware/malware--80099a91-4c86-4bea-9ccb-dac55d61960e.json @@ -1,22 +1,9 @@ { "type": "bundle", - "id": "bundle--0f65b524-120f-4842-8496-10ca5a9f56ce", + "id": "bundle--c0a620ac-5f67-44df-9c54-905c9eb2ae67", "spec_version": "2.0", "objects": [ { - "modified": "2024-04-17T16:12:43.754Z", - "name": "Triton", - "description": "[Triton](https://attack.mitre.org/software/S1009) is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.(Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017)(Citation: Dragos December 2017)(Citation: DHS CISA February 2019)(Citation: Schneider Electric January 2018)(Citation: Julian Gutmanis March 2019)(Citation: Schneider December 2018)(Citation: Jos Wetzels January 2018)", - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "1.1", - "x_mitre_aliases": [ - "Triton", - "TRISIS", - "HatMan" - ], "type": "malware", "id": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "created": "2019-03-26T15:02:14.907Z", @@ -67,8 +54,21 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", + "modified": "2026-04-22T20:06:22.741Z", + "name": "Triton", + "description": "[Triton](https://attack.mitre.org/software/S1009) is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.(Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017)(Citation: Dragos December 2017)(Citation: DHS CISA February 2019)(Citation: Schneider Electric January 2018)(Citation: Julian Gutmanis March 2019)(Citation: Schneider December 2018)(Citation: Jos Wetzels January 2018)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_aliases": [ + "Triton", + "TRISIS", + "HatMan" + ], "labels": [ "malware" ] diff --git a/ics-attack/malware/malware--89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b.json b/ics-attack/malware/malware--89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b.json index 6ae312e658..51a9cb702e 100644 --- a/ics-attack/malware/malware--89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b.json +++ b/ics-attack/malware/malware--89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2bd24b3b-a6c4-4425-8d56-f48ce9b04be3", + "id": "bundle--fc781979-4f9a-4476-9f1a-b296c783278f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--931e2489-8078-4f9f-85b2-a9211950e75b.json b/ics-attack/malware/malware--931e2489-8078-4f9f-85b2-a9211950e75b.json index 64ac775448..71de1c427f 100644 --- a/ics-attack/malware/malware--931e2489-8078-4f9f-85b2-a9211950e75b.json +++ b/ics-attack/malware/malware--931e2489-8078-4f9f-85b2-a9211950e75b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6777d455-4844-4339-8672-6062535302d3", + "id": "bundle--f34b8505-4629-4edb-af58-cea4202934d2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--9e3c9495-5fbd-4676-b3ac-ddecceb57b8f.json b/ics-attack/malware/malware--9e3c9495-5fbd-4676-b3ac-ddecceb57b8f.json index a9c53f5b16..e7cfcbf836 100644 --- a/ics-attack/malware/malware--9e3c9495-5fbd-4676-b3ac-ddecceb57b8f.json +++ b/ics-attack/malware/malware--9e3c9495-5fbd-4676-b3ac-ddecceb57b8f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fc36c4a8-a2be-4012-86ce-8ea8345ad011", + "id": "bundle--176db5cd-6006-4a46-bfa5-e952e3bffc7b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--a020a61c-423f-4195-8c46-ba1d21abba37.json b/ics-attack/malware/malware--a020a61c-423f-4195-8c46-ba1d21abba37.json index c3ef622aa7..a54f344b7b 100644 --- a/ics-attack/malware/malware--a020a61c-423f-4195-8c46-ba1d21abba37.json +++ b/ics-attack/malware/malware--a020a61c-423f-4195-8c46-ba1d21abba37.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--02d8aa47-8bed-408e-a9da-2e64d4349f76", + "id": "bundle--8dcd82ce-b01e-4561-8e44-28542385b7f7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--a4a98eab-b691-45d9-8c48-869ef8fefd57.json b/ics-attack/malware/malware--a4a98eab-b691-45d9-8c48-869ef8fefd57.json index ddbdd2dc42..850aabd6bb 100644 --- a/ics-attack/malware/malware--a4a98eab-b691-45d9-8c48-869ef8fefd57.json +++ b/ics-attack/malware/malware--a4a98eab-b691-45d9-8c48-869ef8fefd57.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4d4cc0a0-e633-4b01-9315-8f23403a2e41", + "id": "bundle--8c816a63-807c-48ed-920f-43707e9cf2e9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5.json b/ics-attack/malware/malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5.json index f50f6304da..646ea1819c 100644 --- a/ics-attack/malware/malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5.json +++ b/ics-attack/malware/malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f628809c-b39a-41a5-bb4a-a8da858e0963", + "id": "bundle--7fef4bc1-5cdd-411d-98ba-3e5930ecb12e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--b34df04a-9d30-4d84-a03f-0d536ee19a05.json b/ics-attack/malware/malware--b34df04a-9d30-4d84-a03f-0d536ee19a05.json index 978e99a423..f70eb2c379 100644 --- a/ics-attack/malware/malware--b34df04a-9d30-4d84-a03f-0d536ee19a05.json +++ b/ics-attack/malware/malware--b34df04a-9d30-4d84-a03f-0d536ee19a05.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ffd078c8-ccfd-42b7-a57b-e771ae1c243a", + "id": "bundle--58499b03-d2c0-4057-ab6e-8cb4d7177033", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b.json b/ics-attack/malware/malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b.json index 0a4cefd822..9d26dde3a6 100644 --- a/ics-attack/malware/malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b.json +++ b/ics-attack/malware/malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5e98a7ef-b98b-487e-ad09-9f5bcd166381", + "id": "bundle--e5687dec-f7ed-43d3-a2bb-59c720041917", "spec_version": "2.0", "objects": [ { @@ -48,22 +48,22 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T21:26:25.242Z", + "modified": "2026-04-23T14:06:34.251Z", "name": "INCONTROLLER", "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) is custom malware that includes multiple modules tailored towards ICS devices and technologies, including Schneider Electric and Omron PLCs as well as OPC UA, Modbus, and CODESYS protocols. [INCONTROLLER](https://attack.mitre.org/software/S1045) has the ability to discover specific devices, download logic on the devices, and exploit platform-specific vulnerabilities. As of September 2022, some security researchers assessed [INCONTROLLER](https://attack.mitre.org/software/S1045) was developed by CHERNOVITE.(Citation: CISA-AA22-103A)(Citation: Brubaker-Incontroller)(Citation: Dragos-Pipedream)(Citation: Schneider-Incontroller)(Citation: Wylie-22) ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ + "Engineering Workstation", "Field Controller/RTU/PLC/IED", "Safety Instrumented System/Protection Relay", - "Engineering Workstation", "Windows" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0", "x_mitre_contributors": [ "Jimmy Wylie, Dragos, Inc." ], diff --git a/ics-attack/malware/malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6.json b/ics-attack/malware/malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6.json index cf1b5b4446..ed25a9c58d 100644 --- a/ics-attack/malware/malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6.json +++ b/ics-attack/malware/malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5562fba3-0021-462b-bf9e-26cbaa768f2e", + "id": "bundle--cee5924d-2f60-4fae-8dd5-f72c1581ebb1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--e401d4fe-f0c9-44f0-98e6-f93487678808.json b/ics-attack/malware/malware--e401d4fe-f0c9-44f0-98e6-f93487678808.json index 14d1a4a676..3f6ff85405 100644 --- a/ics-attack/malware/malware--e401d4fe-f0c9-44f0-98e6-f93487678808.json +++ b/ics-attack/malware/malware--e401d4fe-f0c9-44f0-98e6-f93487678808.json @@ -1,30 +1,9 @@ { "type": "bundle", - "id": "bundle--2f3ee828-8157-43ba-8a2e-5522f20ca27e", + "id": "bundle--e431a58d-6adc-4302-8188-29e4c8997128", "spec_version": "2.0", "objects": [ { - "modified": "2024-04-11T16:06:34.700Z", - "name": "Industroyer", - "description": "[Industroyer](https://attack.mitre.org/software/S0604) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.(Citation: ESET Industroyer) [Industroyer](https://attack.mitre.org/software/S0604) was used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride 2017) This is the first publicly known malware specifically designed to target and impact operations in the electric grid.(Citation: Dragos Crashoverride 2018)", - "x_mitre_platforms": [ - "Windows" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" - ], - "x_mitre_version": "1.1", - "x_mitre_contributors": [ - "Dragos Threat Intelligence", - "Joe Slowik - Dragos" - ], - "x_mitre_aliases": [ - "Industroyer", - "CRASHOVERRIDE", - "Win32/Industroyer" - ], "type": "malware", "id": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "created": "2021-01-04T20:42:21.997Z", @@ -63,8 +42,29 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", + "modified": "2026-04-23T14:11:53.057Z", + "name": "Industroyer", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.(Citation: ESET Industroyer) [Industroyer](https://attack.mitre.org/software/S0604) was used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride 2017) This is the first publicly known malware specifically designed to target and impact operations in the electric grid.(Citation: Dragos Crashoverride 2018)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_version": "1.2", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_contributors": [ + "Dragos Threat Intelligence", + "Joe Slowik - Dragos" + ], + "x_mitre_aliases": [ + "Industroyer", + "CRASHOVERRIDE", + "Win32/Industroyer" + ], "labels": [ "malware" ] diff --git a/ics-attack/malware/malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498.json b/ics-attack/malware/malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498.json index 10a7e611c8..412d7e4184 100644 --- a/ics-attack/malware/malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498.json +++ b/ics-attack/malware/malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9cb24fda-64c5-47fb-bd04-29f4e1822f21", + "id": "bundle--8da2d205-3e55-41b2-8aca-bab76ab80b77", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json b/ics-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json index 7a2bb9fc11..a4ce3fa537 100644 --- a/ics-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json +++ b/ics-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json @@ -1,14 +1,15 @@ { "type": "bundle", - "id": "bundle--20f61ae7-7405-428b-800b-4c3125eb6ed8", + "id": "bundle--369f1bdb-15c7-4b3d-a1fe-1c8a80362fb2", "spec_version": "2.0", "objects": [ { "definition": { - "statement": "Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation." + "statement": "Copyright 2015-2026, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation." }, "id": "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168", "type": "marking-definition", + "spec_version": "2.1", "created": "2017-06-01T00:00:00.000Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "definition_type": "statement" diff --git a/ics-attack/relationship/relationship--4ad48410-efd9-41c0-ac59-e4343d3b9198.json b/ics-attack/relationship/relationship--004d6d78-390b-4969-9e88-8b92d33fbfc0.json similarity index 71% rename from ics-attack/relationship/relationship--4ad48410-efd9-41c0-ac59-e4343d3b9198.json rename to ics-attack/relationship/relationship--004d6d78-390b-4969-9e88-8b92d33fbfc0.json index fee53e7681..e2c535937e 100644 --- a/ics-attack/relationship/relationship--4ad48410-efd9-41c0-ac59-e4343d3b9198.json +++ b/ics-attack/relationship/relationship--004d6d78-390b-4969-9e88-8b92d33fbfc0.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--1efd03c6-3dd1-43c7-9e1a-0269cdf855d7", + "id": "bundle--116f24fd-107e-4999-a85e-9d6e059ece60", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--4ad48410-efd9-41c0-ac59-e4343d3b9198", + "id": "relationship--004d6d78-390b-4969-9e88-8b92d33fbfc0", "created": "2023-09-28T21:09:50.956Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:17.814Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--007a2c53-fc5c-4750-aff0-defb282e178a.json b/ics-attack/relationship/relationship--007a2c53-fc5c-4750-aff0-defb282e178a.json index 43d28e9f5b..011cc6124c 100644 --- a/ics-attack/relationship/relationship--007a2c53-fc5c-4750-aff0-defb282e178a.json +++ b/ics-attack/relationship/relationship--007a2c53-fc5c-4750-aff0-defb282e178a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d165a55a-33d7-4b08-9f78-cc5e262b2db3", + "id": "bundle--7089c275-0f19-46fe-afee-976aa70c4b69", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--007a2c53-fc5c-4750-aff0-defb282e178a", "created": "2023-09-29T16:30:30.829Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:49.087Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--008c7424-73ef-4a99-bcfa-2d96eb7daba0.json b/ics-attack/relationship/relationship--008c7424-73ef-4a99-bcfa-2d96eb7daba0.json new file mode 100644 index 0000000000..c81ed1167b --- /dev/null +++ b/ics-attack/relationship/relationship--008c7424-73ef-4a99-bcfa-2d96eb7daba0.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--a597cbb4-127b-4edb-bfe4-495d1f72a049", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--008c7424-73ef-4a99-bcfa-2d96eb7daba0", + "created": "2026-04-22T20:41:47.703Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:41:47.703Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--00b9e63b-57a7-408e-83d6-fc03535010a6.json b/ics-attack/relationship/relationship--00b9e63b-57a7-408e-83d6-fc03535010a6.json index 3ab2511ca6..dc78a1b17a 100644 --- a/ics-attack/relationship/relationship--00b9e63b-57a7-408e-83d6-fc03535010a6.json +++ b/ics-attack/relationship/relationship--00b9e63b-57a7-408e-83d6-fc03535010a6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f4bc1e2f-1bad-447c-a3b8-4937ca7950d8", + "id": "bundle--1ac3363e-7a27-40d8-a54e-5267989e0734", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--00b9e63b-57a7-408e-83d6-fc03535010a6", "created": "2023-09-27T14:39:33.141Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", diff --git a/ics-attack/relationship/relationship--00e34880-abdb-418d-9252-0433aa40950e.json b/ics-attack/relationship/relationship--00e34880-abdb-418d-9252-0433aa40950e.json new file mode 100644 index 0000000000..8f97e89de4 --- /dev/null +++ b/ics-attack/relationship/relationship--00e34880-abdb-418d-9252-0433aa40950e.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--5e838c12-a57e-4154-bd4b-853110d9d83b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--00e34880-abdb-418d-9252-0433aa40950e", + "created": "2026-04-22T15:09:56.165Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T15:09:56.165Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--6f318bab-df4a-4a51-b849-e9c2ab2f9c4c", + "target_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6.json b/ics-attack/relationship/relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6.json index c62af4a7d1..258dfdc47b 100644 --- a/ics-attack/relationship/relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6.json +++ b/ics-attack/relationship/relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ee2d9157-2527-4b19-87cf-0e99abc7851e", + "id": "bundle--c4ba9366-533a-4d37-a833-0084716300ce", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1.json b/ics-attack/relationship/relationship--0105c4f6-a34f-4e0e-964b-a7d108ea3e08.json similarity index 74% rename from ics-attack/relationship/relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1.json rename to ics-attack/relationship/relationship--0105c4f6-a34f-4e0e-964b-a7d108ea3e08.json index 10cd510358..6246b02ef0 100644 --- a/ics-attack/relationship/relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1.json +++ b/ics-attack/relationship/relationship--0105c4f6-a34f-4e0e-964b-a7d108ea3e08.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--adeb7781-86b3-4cde-ab34-98df43c72171", + "id": "bundle--dc9fd1da-93b5-4782-9f24-f7124d7193dd", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1", + "id": "relationship--0105c4f6-a34f-4e0e-964b-a7d108ea3e08", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "Ensure devices have an alternative method for communicating in the event that a valid COM port is unavailable.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--011f1d16-c9f1-48ac-94f1-165466c155f8.json b/ics-attack/relationship/relationship--011f1d16-c9f1-48ac-94f1-165466c155f8.json index 03e2538f2b..edd6878f09 100644 --- a/ics-attack/relationship/relationship--011f1d16-c9f1-48ac-94f1-165466c155f8.json +++ b/ics-attack/relationship/relationship--011f1d16-c9f1-48ac-94f1-165466c155f8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2a537099-b0a9-417f-a9f5-e2a20c5618da", + "id": "bundle--0c5d5547-ea67-441f-84e1-73b113b72acc", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--011f1d16-c9f1-48ac-94f1-165466c155f8", "created": "2023-09-29T18:43:33.176Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:49.972Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--012fd76f-1a10-4e48-9306-10ffae3f61dd.json b/ics-attack/relationship/relationship--012fd76f-1a10-4e48-9306-10ffae3f61dd.json index cf7bcb466c..d65f86d07a 100644 --- a/ics-attack/relationship/relationship--012fd76f-1a10-4e48-9306-10ffae3f61dd.json +++ b/ics-attack/relationship/relationship--012fd76f-1a10-4e48-9306-10ffae3f61dd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4e6aa3d9-85d6-4c71-9e6d-15f17dfe534f", + "id": "bundle--1feb1a3a-6033-4bc9-ad3b-8e5d40265004", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--012fd76f-1a10-4e48-9306-10ffae3f61dd", "created": "2023-09-29T16:30:58.431Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:50.177Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--01335508-22bb-4185-a7e2-49ec9bee6423.json b/ics-attack/relationship/relationship--01335508-22bb-4185-a7e2-49ec9bee6423.json index 73a397a3ad..a9bf638de1 100644 --- a/ics-attack/relationship/relationship--01335508-22bb-4185-a7e2-49ec9bee6423.json +++ b/ics-attack/relationship/relationship--01335508-22bb-4185-a7e2-49ec9bee6423.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0430dd4d-518d-49f6-b4f1-c04a968e38e8", + "id": "bundle--9b74c9fc-1785-4217-8112-bcd4fdba2d8a", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--01335508-22bb-4185-a7e2-49ec9bee6423", "created": "2023-09-28T20:15:20.293Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:50.425Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--01b4a92f-da42-4dfa-8d59-53709b65940e.json b/ics-attack/relationship/relationship--01b4a92f-da42-4dfa-8d59-53709b65940e.json index 118a153974..2464e87c89 100644 --- a/ics-attack/relationship/relationship--01b4a92f-da42-4dfa-8d59-53709b65940e.json +++ b/ics-attack/relationship/relationship--01b4a92f-da42-4dfa-8d59-53709b65940e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bf171f4c-1526-4ec9-adbd-058a2967c595", + "id": "bundle--b5330635-8b2c-41ac-b796-b52e9aaf6f22", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--01c8cc53-dfd0-4afc-8df6-e57494bd9e24.json b/ics-attack/relationship/relationship--01c8cc53-dfd0-4afc-8df6-e57494bd9e24.json new file mode 100644 index 0000000000..d7c1bd90bb --- /dev/null +++ b/ics-attack/relationship/relationship--01c8cc53-dfd0-4afc-8df6-e57494bd9e24.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--9220a0c6-7ad5-4c31-93d8-271afb5ed464", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--01c8cc53-dfd0-4afc-8df6-e57494bd9e24", + "created": "2026-04-22T16:04:03.195Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:50:26.445Z", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--02117d44-46d2-41f0-a5fb-ba303e6ee124.json b/ics-attack/relationship/relationship--02117d44-46d2-41f0-a5fb-ba303e6ee124.json index b05f450b8c..a81077a023 100644 --- a/ics-attack/relationship/relationship--02117d44-46d2-41f0-a5fb-ba303e6ee124.json +++ b/ics-attack/relationship/relationship--02117d44-46d2-41f0-a5fb-ba303e6ee124.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--914b4b00-4d42-43d2-9b78-110fafee79bf", + "id": "bundle--944cd4b3-51a8-4571-a6ec-963e480fa18d", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--02117d44-46d2-41f0-a5fb-ba303e6ee124", "created": "2023-09-29T18:55:47.037Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:51.055Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", diff --git a/ics-attack/relationship/relationship--026ba3e5-ae3b-4a8b-83c0-ea8327cd9e50.json b/ics-attack/relationship/relationship--026ba3e5-ae3b-4a8b-83c0-ea8327cd9e50.json index f841b51908..b12dc4c785 100644 --- a/ics-attack/relationship/relationship--026ba3e5-ae3b-4a8b-83c0-ea8327cd9e50.json +++ b/ics-attack/relationship/relationship--026ba3e5-ae3b-4a8b-83c0-ea8327cd9e50.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1aedc66e-747c-4193-8b9e-e0ba743ba108", + "id": "bundle--9ad2f411-8d36-4fc4-be35-996525ca6a83", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--026ba3e5-ae3b-4a8b-83c0-ea8327cd9e50", "created": "2023-09-29T17:42:44.516Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:51.276Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81.json b/ics-attack/relationship/relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81.json index 8c629be35e..1750446ef5 100644 --- a/ics-attack/relationship/relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81.json +++ b/ics-attack/relationship/relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9a0d0446-2f4c-4af2-b773-2346fd1ab66c", + "id": "bundle--37c828d0-7297-4ffd-917d-a1003e3fe78c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--02f547fd-2565-4130-a4be-c4ba7b5aeb0c.json b/ics-attack/relationship/relationship--02f547fd-2565-4130-a4be-c4ba7b5aeb0c.json index 5e7fa9193e..ccfc7af641 100644 --- a/ics-attack/relationship/relationship--02f547fd-2565-4130-a4be-c4ba7b5aeb0c.json +++ b/ics-attack/relationship/relationship--02f547fd-2565-4130-a4be-c4ba7b5aeb0c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--47920900-e398-4648-9d87-a2f9e58354c9", + "id": "bundle--57072782-0ede-493f-b988-c775d84e91b6", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--02f547fd-2565-4130-a4be-c4ba7b5aeb0c", "created": "2023-09-29T17:59:31.091Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:51.927Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--03181dba-035f-45e6-a5c9-70d02a96e4f4.json b/ics-attack/relationship/relationship--03181dba-035f-45e6-a5c9-70d02a96e4f4.json index 136319c0c5..a04c75218b 100644 --- a/ics-attack/relationship/relationship--03181dba-035f-45e6-a5c9-70d02a96e4f4.json +++ b/ics-attack/relationship/relationship--03181dba-035f-45e6-a5c9-70d02a96e4f4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--71882661-c4a0-4a6e-9d4a-28ae934a0849", + "id": "bundle--4c85f1e0-44f8-49c9-a5d5-d8b3c9a72e6e", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--03181dba-035f-45e6-a5c9-70d02a96e4f4", "created": "2025-09-24T18:21:15.104Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--033b4401-261f-498b-89f3-2bad9ff5907a.json b/ics-attack/relationship/relationship--033b4401-261f-498b-89f3-2bad9ff5907a.json index 62ae02ad25..bb1cd9b31b 100644 --- a/ics-attack/relationship/relationship--033b4401-261f-498b-89f3-2bad9ff5907a.json +++ b/ics-attack/relationship/relationship--033b4401-261f-498b-89f3-2bad9ff5907a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a3660279-9cd2-4f51-a319-1c49a645129c", + "id": "bundle--5040b360-19f9-459d-97d8-b2542db393b0", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--033b4401-261f-498b-89f3-2bad9ff5907a", "created": "2023-09-29T17:58:15.338Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:52.127Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--570f630b-ee41-490f-a909-d2f15b5ad459.json b/ics-attack/relationship/relationship--03709641-2bf2-406a-9567-ccf9d0b65017.json similarity index 78% rename from ics-attack/relationship/relationship--570f630b-ee41-490f-a909-d2f15b5ad459.json rename to ics-attack/relationship/relationship--03709641-2bf2-406a-9567-ccf9d0b65017.json index f04edc0641..83ca386b30 100644 --- a/ics-attack/relationship/relationship--570f630b-ee41-490f-a909-d2f15b5ad459.json +++ b/ics-attack/relationship/relationship--03709641-2bf2-406a-9567-ccf9d0b65017.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--03cfedb9-b580-4dd0-a7a9-86560c81cde7", + "id": "bundle--b2fe3419-e1a3-4d41-b0ec-ad4f85f2804c", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--570f630b-ee41-490f-a909-d2f15b5ad459", + "id": "relationship--03709641-2bf2-406a-9567-ccf9d0b65017", "created": "2025-09-29T22:06:21.839Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -14,7 +14,7 @@ ], "modified": "2025-09-29T22:06:21.839Z", "relationship_type": "targets", - "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "source_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, diff --git a/ics-attack/relationship/relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35.json b/ics-attack/relationship/relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35.json index 6674bc9ee2..96fd7a3d87 100644 --- a/ics-attack/relationship/relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35.json +++ b/ics-attack/relationship/relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--10c59166-bbdf-425a-9427-811ddef7da49", + "id": "bundle--c916b1ad-a2fa-445c-a2d5-c378d3dd37ac", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--03aab956-54f3-4e4b-93a7-6d1898d91b57.json b/ics-attack/relationship/relationship--03aab956-54f3-4e4b-93a7-6d1898d91b57.json index e9a49947d3..0895929ede 100644 --- a/ics-attack/relationship/relationship--03aab956-54f3-4e4b-93a7-6d1898d91b57.json +++ b/ics-attack/relationship/relationship--03aab956-54f3-4e4b-93a7-6d1898d91b57.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--80798800-b673-48b5-9415-796b3ee516bf", + "id": "bundle--231af696-9bb2-4ac5-a191-04eb08e81d5d", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--03aab956-54f3-4e4b-93a7-6d1898d91b57", "created": "2023-09-29T16:29:03.438Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:52.555Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--03b4dae7-3b20-4ea9-9f7c-6c97582f98b7.json b/ics-attack/relationship/relationship--03b4dae7-3b20-4ea9-9f7c-6c97582f98b7.json index a0ee33412d..9436fbcf3d 100644 --- a/ics-attack/relationship/relationship--03b4dae7-3b20-4ea9-9f7c-6c97582f98b7.json +++ b/ics-attack/relationship/relationship--03b4dae7-3b20-4ea9-9f7c-6c97582f98b7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--63e360f2-43fd-4783-ba1f-042240ad6d3a", + "id": "bundle--76c36b04-93f6-438a-993a-6d1a5450e1e7", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--03b4dae7-3b20-4ea9-9f7c-6c97582f98b7", "created": "2024-03-28T14:33:00.899Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Triton-EENews-2017", diff --git a/ics-attack/relationship/relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3.json b/ics-attack/relationship/relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3.json index 9d0842d160..6fc1c768a3 100644 --- a/ics-attack/relationship/relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3.json +++ b/ics-attack/relationship/relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8b97de9b-c0a5-4e16-b7bb-3c3d7b2444e9", + "id": "bundle--0cefb2e6-1d0c-4c5c-b0e7-73ddbd235ee9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--03e80e3c-28b9-4e7f-8b17-7c86d1483b91.json b/ics-attack/relationship/relationship--03e80e3c-28b9-4e7f-8b17-7c86d1483b91.json index 5f13f84cca..d2f655c79f 100644 --- a/ics-attack/relationship/relationship--03e80e3c-28b9-4e7f-8b17-7c86d1483b91.json +++ b/ics-attack/relationship/relationship--03e80e3c-28b9-4e7f-8b17-7c86d1483b91.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--850eced3-29b2-4948-958d-0e9b002b605d", + "id": "bundle--4759da16-4cb0-463e-8ff3-98593e8e0da2", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--03e80e3c-28b9-4e7f-8b17-7c86d1483b91", "created": "2023-03-30T19:00:12.380Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Keith Stouffer May 2015", diff --git a/ics-attack/relationship/relationship--03e94c12-cd51-4f39-a33d-c66a31bbf361.json b/ics-attack/relationship/relationship--03e94c12-cd51-4f39-a33d-c66a31bbf361.json index 722157a126..69bf099043 100644 --- a/ics-attack/relationship/relationship--03e94c12-cd51-4f39-a33d-c66a31bbf361.json +++ b/ics-attack/relationship/relationship--03e94c12-cd51-4f39-a33d-c66a31bbf361.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--46537498-2650-4759-a838-5f2542209837", + "id": "bundle--9816ebaa-ed55-4041-b602-9641ce43938c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--03e94c12-cd51-4f39-a33d-c66a31bbf361", "created": "2023-09-29T17:40:34.866Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:53.760Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--0406292e-1288-42ac-b74b-88f5f0a7f1b9.json b/ics-attack/relationship/relationship--0406292e-1288-42ac-b74b-88f5f0a7f1b9.json index 7b0f2aef94..48b017966e 100644 --- a/ics-attack/relationship/relationship--0406292e-1288-42ac-b74b-88f5f0a7f1b9.json +++ b/ics-attack/relationship/relationship--0406292e-1288-42ac-b74b-88f5f0a7f1b9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1ab9a0b7-3fdd-454c-be47-ca39d9ca33d9", + "id": "bundle--46f4998b-de72-409b-82e0-fe104eb53bd8", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--0406292e-1288-42ac-b74b-88f5f0a7f1b9", "created": "2025-09-24T18:03:25.211Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--042243fd-bfe0-4961-96de-a36232d3ff74.json b/ics-attack/relationship/relationship--042243fd-bfe0-4961-96de-a36232d3ff74.json index fd211a3b67..fb20c24745 100644 --- a/ics-attack/relationship/relationship--042243fd-bfe0-4961-96de-a36232d3ff74.json +++ b/ics-attack/relationship/relationship--042243fd-bfe0-4961-96de-a36232d3ff74.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7ebfbde1-e626-49c4-b5d4-121fd464df14", + "id": "bundle--15ef7bf7-3243-4f30-bbfb-6c9812ca83c3", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--042243fd-bfe0-4961-96de-a36232d3ff74", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Symantec Security Response July 2014", diff --git a/ics-attack/relationship/relationship--046ca7d3-d2d2-458b-bce4-236bc0f207e5.json b/ics-attack/relationship/relationship--046ca7d3-d2d2-458b-bce4-236bc0f207e5.json new file mode 100644 index 0000000000..0aa644e187 --- /dev/null +++ b/ics-attack/relationship/relationship--046ca7d3-d2d2-458b-bce4-236bc0f207e5.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--9bd04b75-eb54-418a-b764-64a693f43e8d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--046ca7d3-d2d2-458b-bce4-236bc0f207e5", + "created": "2026-04-22T22:30:00.729Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:30:00.729Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--04882fef-2a6b-40d0-a101-da9c76a3572e.json b/ics-attack/relationship/relationship--04882fef-2a6b-40d0-a101-da9c76a3572e.json index a5a89aa0a3..fbb594f862 100644 --- a/ics-attack/relationship/relationship--04882fef-2a6b-40d0-a101-da9c76a3572e.json +++ b/ics-attack/relationship/relationship--04882fef-2a6b-40d0-a101-da9c76a3572e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3b495bcc-38f6-4276-8583-b300e24d93b8", + "id": "bundle--6fc65e6a-a088-449b-8a44-f737b2b681cb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0491ef92-2941-4841-9fe6-2e1809788b52.json b/ics-attack/relationship/relationship--0491ef92-2941-4841-9fe6-2e1809788b52.json index 49e6344cad..c4f8aa363a 100644 --- a/ics-attack/relationship/relationship--0491ef92-2941-4841-9fe6-2e1809788b52.json +++ b/ics-attack/relationship/relationship--0491ef92-2941-4841-9fe6-2e1809788b52.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--da3ce98e-7e86-4242-b744-7e01c9392bab", + "id": "bundle--c29be1dc-9eae-4c62-89e3-68a500dc4bc3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--04aad4a8-8b8c-45d9-bb34-508fe4792863.json b/ics-attack/relationship/relationship--04aad4a8-8b8c-45d9-bb34-508fe4792863.json index 8b2443fa6c..6ba37bb8a3 100644 --- a/ics-attack/relationship/relationship--04aad4a8-8b8c-45d9-bb34-508fe4792863.json +++ b/ics-attack/relationship/relationship--04aad4a8-8b8c-45d9-bb34-508fe4792863.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--65589423-7f14-4f73-b50e-9cf2e0f9c7c0", + "id": "bundle--7b7fb84a-a45e-4a7a-8b7f-8761b6ef2d09", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--04aad4a8-8b8c-45d9-bb34-508fe4792863", "created": "2023-09-28T20:29:11.776Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:54.635Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--04bf72de-75ba-4d95-ad24-f93ad835180c.json b/ics-attack/relationship/relationship--04bf72de-75ba-4d95-ad24-f93ad835180c.json index f2f712d67c..46f3d3bef2 100644 --- a/ics-attack/relationship/relationship--04bf72de-75ba-4d95-ad24-f93ad835180c.json +++ b/ics-attack/relationship/relationship--04bf72de-75ba-4d95-ad24-f93ad835180c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f02a00fe-6028-4467-bc5b-21b4119718a2", + "id": "bundle--6a3c143e-0c4d-4e6c-b708-c2082e6ee398", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--04bf72de-75ba-4d95-ad24-f93ad835180c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", diff --git a/ics-attack/relationship/relationship--0525121a-0797-4353-98d0-7efc65793157.json b/ics-attack/relationship/relationship--0525121a-0797-4353-98d0-7efc65793157.json new file mode 100644 index 0000000000..3126b771e3 --- /dev/null +++ b/ics-attack/relationship/relationship--0525121a-0797-4353-98d0-7efc65793157.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--7cfc9b84-3047-4efc-b6f2-98546e5db805", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0525121a-0797-4353-98d0-7efc65793157", + "created": "2026-04-22T20:41:30.328Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:41:30.328Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--052da7dd-e7c9-4ab3-a8f9-eb734b24ec60.json b/ics-attack/relationship/relationship--052da7dd-e7c9-4ab3-a8f9-eb734b24ec60.json index be9523d55d..3f8b48e539 100644 --- a/ics-attack/relationship/relationship--052da7dd-e7c9-4ab3-a8f9-eb734b24ec60.json +++ b/ics-attack/relationship/relationship--052da7dd-e7c9-4ab3-a8f9-eb734b24ec60.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6259e2f0-1fdd-40fb-8de2-cd5befaa8dd9", + "id": "bundle--fcc0ce57-65ed-41b6-9bb2-4b40f6b1b105", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--0f2e4927-401d-430e-96ed-90feb8df1b03", "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", diff --git a/ics-attack/relationship/relationship--058396ca-3af4-444b-b261-74485c47e68c.json b/ics-attack/relationship/relationship--058396ca-3af4-444b-b261-74485c47e68c.json index c34c5b2d54..82876a2661 100644 --- a/ics-attack/relationship/relationship--058396ca-3af4-444b-b261-74485c47e68c.json +++ b/ics-attack/relationship/relationship--058396ca-3af4-444b-b261-74485c47e68c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6eb5a2b0-0c34-428f-aab0-92f446c432f3", + "id": "bundle--d92a1ed4-54cd-4ee2-bd90-56cf989b1552", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--058396ca-3af4-444b-b261-74485c47e68c", "created": "2017-05-31T21:33:27.074Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Joe Slowik April 2019", diff --git a/ics-attack/relationship/relationship--05d18e5c-9c1f-4ee3-95a2-da62bf1c45f8.json b/ics-attack/relationship/relationship--05d18e5c-9c1f-4ee3-95a2-da62bf1c45f8.json new file mode 100644 index 0000000000..3438023fe2 --- /dev/null +++ b/ics-attack/relationship/relationship--05d18e5c-9c1f-4ee3-95a2-da62bf1c45f8.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--1d258c34-56c4-4a9e-9fb1-e01a2b58568d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--05d18e5c-9c1f-4ee3-95a2-da62bf1c45f8", + "created": "2026-04-23T00:28:51.179Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:28:51.179Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--5ff26c96-c610-4669-b44e-d6318205be5a.json b/ics-attack/relationship/relationship--05e82fa8-d762-4b8f-ae07-019e0f24100b.json similarity index 71% rename from ics-attack/relationship/relationship--5ff26c96-c610-4669-b44e-d6318205be5a.json rename to ics-attack/relationship/relationship--05e82fa8-d762-4b8f-ae07-019e0f24100b.json index c76920caf5..c76ea444c8 100644 --- a/ics-attack/relationship/relationship--5ff26c96-c610-4669-b44e-d6318205be5a.json +++ b/ics-attack/relationship/relationship--05e82fa8-d762-4b8f-ae07-019e0f24100b.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--7abd45b7-7ad9-43e7-990b-1ce870e5e64c", + "id": "bundle--b7332a47-0dc4-4417-9cdb-6ec3bdcf8608", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--5ff26c96-c610-4669-b44e-d6318205be5a", + "id": "relationship--05e82fa8-d762-4b8f-ae07-019e0f24100b", "created": "2023-09-29T16:43:28.841Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:40.092Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "source_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--061271f5-0d51-4011-9451-532cd1efedbd.json b/ics-attack/relationship/relationship--061271f5-0d51-4011-9451-532cd1efedbd.json new file mode 100644 index 0000000000..ea10ac9b79 --- /dev/null +++ b/ics-attack/relationship/relationship--061271f5-0d51-4011-9451-532cd1efedbd.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--b786de86-1d37-412b-ab19-6247f26d51a9", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--061271f5-0d51-4011-9451-532cd1efedbd", + "created": "2026-04-23T14:20:03.889Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos-Pipedream", + "description": "DRAGOS. (2022, April 13). Pipedream: Chernovite\u2019s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.", + "url": "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en" + }, + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T14:20:03.889Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can perform a UDP multicast scan of UDP port 27127 to identify Schneider PLCs that use that port for the NetManage protocol.(Citation: Dragos-Pipedream)(Citation: Wylie-22)\n", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--064dfd6f-db5d-48e8-b350-9dd47a270911.json b/ics-attack/relationship/relationship--064dfd6f-db5d-48e8-b350-9dd47a270911.json index fc18cd297d..4478040eb9 100644 --- a/ics-attack/relationship/relationship--064dfd6f-db5d-48e8-b350-9dd47a270911.json +++ b/ics-attack/relationship/relationship--064dfd6f-db5d-48e8-b350-9dd47a270911.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3b75d517-5b9d-4995-8ab6-860d45e85e27", + "id": "bundle--49f3d378-029a-45dd-b092-e6d52203a12d", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--064dfd6f-db5d-48e8-b350-9dd47a270911", "created": "2022-09-28T20:22:09.916Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "CISA-AA22-103A", diff --git a/ics-attack/relationship/relationship--0665de34-d5a5-46ae-a0e5-3021bf48c294.json b/ics-attack/relationship/relationship--0665de34-d5a5-46ae-a0e5-3021bf48c294.json new file mode 100644 index 0000000000..ba22d94cb3 --- /dev/null +++ b/ics-attack/relationship/relationship--0665de34-d5a5-46ae-a0e5-3021bf48c294.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--97225039-2c38-46a2-af87-5a931a6f04c0", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0665de34-d5a5-46ae-a0e5-3021bf48c294", + "created": "2026-04-20T20:54:17.554Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:17.554Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", + "target_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--067932c3-0011-4ca2-9bbe-721c631e4e41.json b/ics-attack/relationship/relationship--067932c3-0011-4ca2-9bbe-721c631e4e41.json index 9baf050b4d..ccdf63c7b3 100644 --- a/ics-attack/relationship/relationship--067932c3-0011-4ca2-9bbe-721c631e4e41.json +++ b/ics-attack/relationship/relationship--067932c3-0011-4ca2-9bbe-721c631e4e41.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--43199fe6-9a41-4969-bb63-7128b662cc2b", + "id": "bundle--e75971cc-4806-4b13-8248-bd1a917eecd2", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--067932c3-0011-4ca2-9bbe-721c631e4e41", "created": "2021-04-13T12:45:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", diff --git a/ics-attack/relationship/relationship--06c663f8-fcf1-47eb-ab79-284e93eafa6b.json b/ics-attack/relationship/relationship--06c663f8-fcf1-47eb-ab79-284e93eafa6b.json index 6c9bd391d6..1c4cec8076 100644 --- a/ics-attack/relationship/relationship--06c663f8-fcf1-47eb-ab79-284e93eafa6b.json +++ b/ics-attack/relationship/relationship--06c663f8-fcf1-47eb-ab79-284e93eafa6b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cb1e4247-4170-45a9-990e-d40b78418f62", + "id": "bundle--e0369f6c-29d8-4831-b2f8-43fac129b2e8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0750563d-a86c-4822-ab9c-0f2d3c304c6e.json b/ics-attack/relationship/relationship--0750563d-a86c-4822-ab9c-0f2d3c304c6e.json index 6c912c3d2e..49136dfb5f 100644 --- a/ics-attack/relationship/relationship--0750563d-a86c-4822-ab9c-0f2d3c304c6e.json +++ b/ics-attack/relationship/relationship--0750563d-a86c-4822-ab9c-0f2d3c304c6e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--84a7b520-a592-44c3-806a-f32cc5a3f250", + "id": "bundle--1433cc97-1a8d-494b-a91d-d69edea6ca0e", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--0750563d-a86c-4822-ab9c-0f2d3c304c6e", "created": "2023-09-28T21:28:51.104Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:57.095Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--076bfea6-309e-4804-a147-dffe93983481.json b/ics-attack/relationship/relationship--076bfea6-309e-4804-a147-dffe93983481.json index 3a9f84084b..9db3061fb7 100644 --- a/ics-attack/relationship/relationship--076bfea6-309e-4804-a147-dffe93983481.json +++ b/ics-attack/relationship/relationship--076bfea6-309e-4804-a147-dffe93983481.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1124c5cf-3a90-480b-a88f-b2d3390c82bb", + "id": "bundle--ff0189d1-f38a-490d-8470-e91e446fb84f", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--076bfea6-309e-4804-a147-dffe93983481", "created": "2023-09-28T20:16:17.295Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:57.327Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--077226fd-25b1-4d77-b2e5-d81331ff803b.json b/ics-attack/relationship/relationship--077226fd-25b1-4d77-b2e5-d81331ff803b.json index e18d2ecd37..8f4dbbcd99 100644 --- a/ics-attack/relationship/relationship--077226fd-25b1-4d77-b2e5-d81331ff803b.json +++ b/ics-attack/relationship/relationship--077226fd-25b1-4d77-b2e5-d81331ff803b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ad647b7e-32a5-4e15-a936-3d205967c2b7", + "id": "bundle--18518e15-745a-4bbe-aa65-4386960ac736", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--077226fd-25b1-4d77-b2e5-d81331ff803b", "created": "2025-09-29T19:02:12.939Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--1fd49958-9695-4137-9aaa-57fde4b97cc8.json b/ics-attack/relationship/relationship--079705ab-c377-4a5b-b9f3-70ed03419ee2.json similarity index 71% rename from ics-attack/relationship/relationship--1fd49958-9695-4137-9aaa-57fde4b97cc8.json rename to ics-attack/relationship/relationship--079705ab-c377-4a5b-b9f3-70ed03419ee2.json index e406a0e78e..f30874a29a 100644 --- a/ics-attack/relationship/relationship--1fd49958-9695-4137-9aaa-57fde4b97cc8.json +++ b/ics-attack/relationship/relationship--079705ab-c377-4a5b-b9f3-70ed03419ee2.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--613eb991-1aac-4f49-938d-95f0ba1ca374", + "id": "bundle--c33c83e5-8709-486d-9579-326a2c882de2", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--1fd49958-9695-4137-9aaa-57fde4b97cc8", + "id": "relationship--079705ab-c377-4a5b-b9f3-70ed03419ee2", "created": "2023-09-29T17:09:59.595Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:27.268Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "source_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--079dfa0e-16b1-4d5a-a548-46b53de7cd61.json b/ics-attack/relationship/relationship--079dfa0e-16b1-4d5a-a548-46b53de7cd61.json new file mode 100644 index 0000000000..b59ca188e3 --- /dev/null +++ b/ics-attack/relationship/relationship--079dfa0e-16b1-4d5a-a548-46b53de7cd61.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--b4be6604-417a-4f89-93f5-39decfe0be3c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--079dfa0e-16b1-4d5a-a548-46b53de7cd61", + "created": "2026-04-22T16:36:52.234Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:36:52.234Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6e329090-fc8c-4a7f-bbf9-08067ad9ebe5.json b/ics-attack/relationship/relationship--07ccd2e1-d4fa-44ff-8d42-95a0942f89d6.json similarity index 84% rename from ics-attack/relationship/relationship--6e329090-fc8c-4a7f-bbf9-08067ad9ebe5.json rename to ics-attack/relationship/relationship--07ccd2e1-d4fa-44ff-8d42-95a0942f89d6.json index 5be7af072f..9c1c5c27d5 100644 --- a/ics-attack/relationship/relationship--6e329090-fc8c-4a7f-bbf9-08067ad9ebe5.json +++ b/ics-attack/relationship/relationship--07ccd2e1-d4fa-44ff-8d42-95a0942f89d6.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--dcc703b9-60d3-484c-95b9-e80556b1a8c7", + "id": "bundle--b1aeff0d-80dd-4f01-8e5a-81d8b6e896ba", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--6e329090-fc8c-4a7f-bbf9-08067ad9ebe5", + "id": "relationship--07ccd2e1-d4fa-44ff-8d42-95a0942f89d6", "created": "2023-03-10T20:35:16.772Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -23,10 +23,10 @@ "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.(Citation: Marshall Abrams July 2008)", "relationship_type": "uses", "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "target_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--07e06d21-e666-4274-838a-ef9996fdc0cd.json b/ics-attack/relationship/relationship--07e06d21-e666-4274-838a-ef9996fdc0cd.json index 7b381696f5..f35ef98fc6 100644 --- a/ics-attack/relationship/relationship--07e06d21-e666-4274-838a-ef9996fdc0cd.json +++ b/ics-attack/relationship/relationship--07e06d21-e666-4274-838a-ef9996fdc0cd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--57fc9d28-ab70-4698-940c-29c1484fe1e3", + "id": "bundle--f3c1c345-7d72-420b-b51f-e4cf7459839f", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--07e06d21-e666-4274-838a-ef9996fdc0cd", "created": "2023-09-28T20:05:45.540Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:57.749Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--07f11dc3-60d7-42d3-a4f0-82eba85dfe44.json b/ics-attack/relationship/relationship--07f11dc3-60d7-42d3-a4f0-82eba85dfe44.json index 1686ee503f..31cb17b3e0 100644 --- a/ics-attack/relationship/relationship--07f11dc3-60d7-42d3-a4f0-82eba85dfe44.json +++ b/ics-attack/relationship/relationship--07f11dc3-60d7-42d3-a4f0-82eba85dfe44.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cfb45ec2-ba37-48aa-9d04-83dfed44d6d1", + "id": "bundle--cd5b9023-e341-4c43-92c7-58799eb9fe24", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--07f11dc3-60d7-42d3-a4f0-82eba85dfe44", "created": "2023-09-29T16:47:20.192Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:57.964Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--07f4d65d-4572-450f-8cb2-908fee97bd67.json b/ics-attack/relationship/relationship--07f4d65d-4572-450f-8cb2-908fee97bd67.json index cbd27a2ba1..5c94f991fa 100644 --- a/ics-attack/relationship/relationship--07f4d65d-4572-450f-8cb2-908fee97bd67.json +++ b/ics-attack/relationship/relationship--07f4d65d-4572-450f-8cb2-908fee97bd67.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--58580aa1-f42d-481f-aafe-1c20ef7cabea", + "id": "bundle--a9491912-d129-4a56-8169-16e338075d5a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--08302021-aacf-428f-a0ce-e1034d925fb0.json b/ics-attack/relationship/relationship--08302021-aacf-428f-a0ce-e1034d925fb0.json index 32431f4bb7..b3a5a920bc 100644 --- a/ics-attack/relationship/relationship--08302021-aacf-428f-a0ce-e1034d925fb0.json +++ b/ics-attack/relationship/relationship--08302021-aacf-428f-a0ce-e1034d925fb0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a7254b92-fa4f-4b83-8dc9-fe9290e40584", + "id": "bundle--6f3e03db-5917-4531-81b9-a73d12521bae", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b960c5ed-1ea8-4dde-9203-c02d291d3bc6.json b/ics-attack/relationship/relationship--085c2906-24e2-4bc8-8e5d-fded599d798c.json similarity index 76% rename from ics-attack/relationship/relationship--b960c5ed-1ea8-4dde-9203-c02d291d3bc6.json rename to ics-attack/relationship/relationship--085c2906-24e2-4bc8-8e5d-fded599d798c.json index c673a394b3..bb4031f4d9 100644 --- a/ics-attack/relationship/relationship--b960c5ed-1ea8-4dde-9203-c02d291d3bc6.json +++ b/ics-attack/relationship/relationship--085c2906-24e2-4bc8-8e5d-fded599d798c.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--928d9d81-3939-4865-8e9c-e0a431db1b88", + "id": "bundle--5b6ba20c-bf8b-43d6-bdb7-0e622310cfe6", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--b960c5ed-1ea8-4dde-9203-c02d291d3bc6", + "id": "relationship--085c2906-24e2-4bc8-8e5d-fded599d798c", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "Department of Homeland Security September 2016", @@ -18,14 +19,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:26:41.201Z", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "modified": "2026-04-23T19:02:18.254Z", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.(Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--bdcec963-7b0d-4c42-89e8-7b1dd9ba72c9.json b/ics-attack/relationship/relationship--085ccfd8-ef5f-41cb-abc7-be5330c60f4e.json similarity index 75% rename from ics-attack/relationship/relationship--bdcec963-7b0d-4c42-89e8-7b1dd9ba72c9.json rename to ics-attack/relationship/relationship--085ccfd8-ef5f-41cb-abc7-be5330c60f4e.json index 2447a12773..30de9b6ef8 100644 --- a/ics-attack/relationship/relationship--bdcec963-7b0d-4c42-89e8-7b1dd9ba72c9.json +++ b/ics-attack/relationship/relationship--085ccfd8-ef5f-41cb-abc7-be5330c60f4e.json @@ -1,21 +1,21 @@ { "type": "bundle", - "id": "bundle--f81ef1e9-cedb-4c99-9301-a31c89952c22", + "id": "bundle--c9b7c42f-43e6-4af6-be4b-4678487841f8", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--bdcec963-7b0d-4c42-89e8-7b1dd9ba72c9", + "id": "relationship--085ccfd8-ef5f-41cb-abc7-be5330c60f4e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--b04e83cc-8ace-4880-8953-7ce55eb8c427", - "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" diff --git a/ics-attack/relationship/relationship--0861bf03-eadd-45a4-8490-ae2a2939125b.json b/ics-attack/relationship/relationship--0861bf03-eadd-45a4-8490-ae2a2939125b.json index fe80624761..d1a4879829 100644 --- a/ics-attack/relationship/relationship--0861bf03-eadd-45a4-8490-ae2a2939125b.json +++ b/ics-attack/relationship/relationship--0861bf03-eadd-45a4-8490-ae2a2939125b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--698e2740-aa09-4b56-8eee-6cad6364458f", + "id": "bundle--eb44b375-3cef-4127-aaf9-8df6ccab0ec2", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--a366d027-d797-4957-949a-870aed0766dd", "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", diff --git a/ics-attack/relationship/relationship--095456bc-898b-4c76-a062-ff0ea90aeab4.json b/ics-attack/relationship/relationship--095456bc-898b-4c76-a062-ff0ea90aeab4.json index 00ea3f5a54..ed77e35c2d 100644 --- a/ics-attack/relationship/relationship--095456bc-898b-4c76-a062-ff0ea90aeab4.json +++ b/ics-attack/relationship/relationship--095456bc-898b-4c76-a062-ff0ea90aeab4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a9604eaa-328b-4c15-8628-d387fb713371", + "id": "bundle--8379c967-5d0f-4f81-a3ec-dec918800f48", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--095456bc-898b-4c76-a062-ff0ea90aeab4", "created": "2023-09-28T21:25:05.393Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:59.310Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--09676502-c50a-47ca-bbef-fffced52346e.json b/ics-attack/relationship/relationship--09676502-c50a-47ca-bbef-fffced52346e.json new file mode 100644 index 0000000000..8f9cb10e3e --- /dev/null +++ b/ics-attack/relationship/relationship--09676502-c50a-47ca-bbef-fffced52346e.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--251adc1d-59cc-4f52-b540-86a6c71f138d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--09676502-c50a-47ca-bbef-fffced52346e", + "created": "2026-04-23T00:09:58.357Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:09:58.357Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--2e99cd65-aad4-4796-9013-79837d498eb6", + "target_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--096c3136-dac9-4729-98c0-c8d870f2bd13.json b/ics-attack/relationship/relationship--096c3136-dac9-4729-98c0-c8d870f2bd13.json index b20a01812c..c045d62ceb 100644 --- a/ics-attack/relationship/relationship--096c3136-dac9-4729-98c0-c8d870f2bd13.json +++ b/ics-attack/relationship/relationship--096c3136-dac9-4729-98c0-c8d870f2bd13.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b5e4e691-25f0-4f0a-9cba-36263e393790", + "id": "bundle--908e2836-4135-477c-bf40-e506ad91be2b", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--096c3136-dac9-4729-98c0-c8d870f2bd13", "created": "2023-09-28T19:42:01.055Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:59.533Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8.json b/ics-attack/relationship/relationship--096e7743-c090-4386-a759-d749f00bae61.json similarity index 67% rename from ics-attack/relationship/relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8.json rename to ics-attack/relationship/relationship--096e7743-c090-4386-a759-d749f00bae61.json index eab56fb9b8..33d70e1650 100644 --- a/ics-attack/relationship/relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8.json +++ b/ics-attack/relationship/relationship--096e7743-c090-4386-a759-d749f00bae61.json @@ -1,24 +1,25 @@ { "type": "bundle", - "id": "bundle--79df3cd1-b1de-43f1-84c5-1ab7db555ae1", + "id": "bundle--cfc725ba-a4d9-4327-982b-09001b2e8652", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8", + "id": "relationship--096e7743-c090-4386-a759-d749f00bae61", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:25:05.720Z", - "description": "Review vendor documents and security alerts for potentially unknown or overlooked default credentials within existing devices\n", + "modified": "2026-04-23T19:31:58.810Z", + "description": "Review vendor documents and security alerts for potentially unknown or overlooked default credentials within existing devices.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", - "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--098ea270-0a22-4922-a585-412d8ee78390.json b/ics-attack/relationship/relationship--098ea270-0a22-4922-a585-412d8ee78390.json new file mode 100644 index 0000000000..e832d1d066 --- /dev/null +++ b/ics-attack/relationship/relationship--098ea270-0a22-4922-a585-412d8ee78390.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--145ee75d-b9b4-4af8-bc92-07af37b724cf", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--098ea270-0a22-4922-a585-412d8ee78390", + "created": "2026-04-22T20:41:09.962Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:41:09.962Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--09a96454-505b-4e05-bc0d-41bf791dc926.json b/ics-attack/relationship/relationship--09a96454-505b-4e05-bc0d-41bf791dc926.json index ddc5f17e43..a84da4c424 100644 --- a/ics-attack/relationship/relationship--09a96454-505b-4e05-bc0d-41bf791dc926.json +++ b/ics-attack/relationship/relationship--09a96454-505b-4e05-bc0d-41bf791dc926.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1ef77f47-29a1-4ab8-ac08-33aff78ccc54", + "id": "bundle--c6ae0eec-42d9-4e7b-9f5e-fb9d1474fce9", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--edf989d8-7e25-4ed2-b289-a55dee68a75e", "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", diff --git a/ics-attack/relationship/relationship--09e0c991-1707-431b-a0fd-fd8215e6d552.json b/ics-attack/relationship/relationship--09e0c991-1707-431b-a0fd-fd8215e6d552.json index 43cf88aaab..ecf24fcb81 100644 --- a/ics-attack/relationship/relationship--09e0c991-1707-431b-a0fd-fd8215e6d552.json +++ b/ics-attack/relationship/relationship--09e0c991-1707-431b-a0fd-fd8215e6d552.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0ffa33cb-8407-48a3-8528-1826d7bde154", + "id": "bundle--ed80e691-794d-4d40-9744-940a0816273c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--09e0c991-1707-431b-a0fd-fd8215e6d552", "created": "2023-09-28T20:30:12.291Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:59.961Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--09e9ed5d-bf32-4aee-8441-774e21ffbdb6.json b/ics-attack/relationship/relationship--09e9ed5d-bf32-4aee-8441-774e21ffbdb6.json index fe694cb012..3b518d46d8 100644 --- a/ics-attack/relationship/relationship--09e9ed5d-bf32-4aee-8441-774e21ffbdb6.json +++ b/ics-attack/relationship/relationship--09e9ed5d-bf32-4aee-8441-774e21ffbdb6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--500b2d06-2c55-4247-b5f0-ddb8144c81db", + "id": "bundle--1adcfc55-4520-450d-bba0-0066f37aae24", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--09e9ed5d-bf32-4aee-8441-774e21ffbdb6", "created": "2023-09-28T19:53:56.266Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:00.211Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--0a3b621d-2e88-4392-9963-3fdc40d3cb42.json b/ics-attack/relationship/relationship--0a3b621d-2e88-4392-9963-3fdc40d3cb42.json index bb8a76d4cd..f212ea6888 100644 --- a/ics-attack/relationship/relationship--0a3b621d-2e88-4392-9963-3fdc40d3cb42.json +++ b/ics-attack/relationship/relationship--0a3b621d-2e88-4392-9963-3fdc40d3cb42.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fdc4c23c-5101-4777-b143-8f2c4c0b6151", + "id": "bundle--3a4196cc-fcf4-41c3-8108-e86fe6e50a07", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--0a3b621d-2e88-4392-9963-3fdc40d3cb42", "created": "2025-09-29T22:03:02.738Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--0a421699-f013-49f4-9d9f-01d95d210510.json b/ics-attack/relationship/relationship--0a421699-f013-49f4-9d9f-01d95d210510.json index 8e447861e5..249726874d 100644 --- a/ics-attack/relationship/relationship--0a421699-f013-49f4-9d9f-01d95d210510.json +++ b/ics-attack/relationship/relationship--0a421699-f013-49f4-9d9f-01d95d210510.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--56fcc71c-b36b-4816-a890-bc1219c08ea0", + "id": "bundle--42084d27-6e75-4d8f-acff-a404a3992db2", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--0a421699-f013-49f4-9d9f-01d95d210510", "created": "2023-09-28T19:37:25.214Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:00.654Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--0a5002d3-cf0d-4e26-9fc4-8faff7f6578a.json b/ics-attack/relationship/relationship--0a5002d3-cf0d-4e26-9fc4-8faff7f6578a.json index 0755133cf6..c15cc4fcb3 100644 --- a/ics-attack/relationship/relationship--0a5002d3-cf0d-4e26-9fc4-8faff7f6578a.json +++ b/ics-attack/relationship/relationship--0a5002d3-cf0d-4e26-9fc4-8faff7f6578a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--60c261e7-90aa-484a-98a1-144bdb21c540", + "id": "bundle--626c3ba2-424c-4665-af05-e07efce27ca1", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--0a5002d3-cf0d-4e26-9fc4-8faff7f6578a", "created": "2023-09-29T17:38:04.048Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:00.869Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--0a5d2136-e1f5-4a54-be64-a558f918bf0d.json b/ics-attack/relationship/relationship--0a5d2136-e1f5-4a54-be64-a558f918bf0d.json index 9ac0f3b502..5a2307f60b 100644 --- a/ics-attack/relationship/relationship--0a5d2136-e1f5-4a54-be64-a558f918bf0d.json +++ b/ics-attack/relationship/relationship--0a5d2136-e1f5-4a54-be64-a558f918bf0d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5b16ab4d-8598-4ab0-9db1-447ca6e16b26", + "id": "bundle--6eeb621c-75df-4f0c-bbb8-ba3d85724f14", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--0a5d2136-e1f5-4a54-be64-a558f918bf0d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--6b54f354-9059-4366-8077-87360c4db2ab.json b/ics-attack/relationship/relationship--0aefda29-be77-4660-b7a5-a6430f409914.json similarity index 71% rename from ics-attack/relationship/relationship--6b54f354-9059-4366-8077-87360c4db2ab.json rename to ics-attack/relationship/relationship--0aefda29-be77-4660-b7a5-a6430f409914.json index d3af8d201d..3447362fc1 100644 --- a/ics-attack/relationship/relationship--6b54f354-9059-4366-8077-87360c4db2ab.json +++ b/ics-attack/relationship/relationship--0aefda29-be77-4660-b7a5-a6430f409914.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--145ac5f4-49fe-4abb-9403-3e1bccc5b3b0", + "id": "bundle--f97cf044-057b-44ac-ac8e-15a4c81c6ee7", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--6b54f354-9059-4366-8077-87360c4db2ab", + "id": "relationship--0aefda29-be77-4660-b7a5-a6430f409914", "created": "2023-10-02T20:18:20.019Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:56.338Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--01d002a2-696a-4e22-b227-b0b32f54eaf0.json b/ics-attack/relationship/relationship--0afaef8a-ed55-4a5b-bbbb-0671a8ffaa79.json similarity index 71% rename from ics-attack/relationship/relationship--01d002a2-696a-4e22-b227-b0b32f54eaf0.json rename to ics-attack/relationship/relationship--0afaef8a-ed55-4a5b-bbbb-0671a8ffaa79.json index 701f48f518..61cea3cf15 100644 --- a/ics-attack/relationship/relationship--01d002a2-696a-4e22-b227-b0b32f54eaf0.json +++ b/ics-attack/relationship/relationship--0afaef8a-ed55-4a5b-bbbb-0671a8ffaa79.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--44542b79-6855-44e9-b5fe-860f3925d91e", + "id": "bundle--e26e0a51-b6ed-4473-b1d7-75c40967bb24", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--01d002a2-696a-4e22-b227-b0b32f54eaf0", + "id": "relationship--0afaef8a-ed55-4a5b-bbbb-0671a8ffaa79", "created": "2023-09-29T18:42:27.894Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:50.855Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0b2a6fc5-3416-4d78-96cb-f6325c91ab91.json b/ics-attack/relationship/relationship--0b2a6fc5-3416-4d78-96cb-f6325c91ab91.json index ff7e97944b..c9f0b65843 100644 --- a/ics-attack/relationship/relationship--0b2a6fc5-3416-4d78-96cb-f6325c91ab91.json +++ b/ics-attack/relationship/relationship--0b2a6fc5-3416-4d78-96cb-f6325c91ab91.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--294ff364-c252-407f-a19d-f3aead59c734", + "id": "bundle--e27bc9be-00a3-470f-901f-cbccb93b6694", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--0b2a6fc5-3416-4d78-96cb-f6325c91ab91", "created": "2023-10-02T20:23:11.865Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:01.311Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", diff --git a/ics-attack/relationship/relationship--0b2d0517-9943-413e-a6f9-30c6d5ce8c42.json b/ics-attack/relationship/relationship--0b2d0517-9943-413e-a6f9-30c6d5ce8c42.json index 13546d9ae5..78de80679b 100644 --- a/ics-attack/relationship/relationship--0b2d0517-9943-413e-a6f9-30c6d5ce8c42.json +++ b/ics-attack/relationship/relationship--0b2d0517-9943-413e-a6f9-30c6d5ce8c42.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6f41c0a9-d62a-4d75-ac9a-5447cc27d534", + "id": "bundle--2edc63ad-c680-41e9-ba0f-4e46847f067c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--0b2d0517-9943-413e-a6f9-30c6d5ce8c42", "created": "2023-09-28T19:59:10.561Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:01.508Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--0b4198f1-e32d-4430-af65-893d3007be7f.json b/ics-attack/relationship/relationship--0b4198f1-e32d-4430-af65-893d3007be7f.json new file mode 100644 index 0000000000..516055aff7 --- /dev/null +++ b/ics-attack/relationship/relationship--0b4198f1-e32d-4430-af65-893d3007be7f.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--69c48d88-a4ca-4503-9bb1-d825ffda9f59", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0b4198f1-e32d-4430-af65-893d3007be7f", + "created": "2026-04-22T16:09:16.900Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:09:16.900Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0b6cd19f-ee13-4224-9e22-f8a9e626d98f.json b/ics-attack/relationship/relationship--0b6cd19f-ee13-4224-9e22-f8a9e626d98f.json index 0978ecbb01..390543124e 100644 --- a/ics-attack/relationship/relationship--0b6cd19f-ee13-4224-9e22-f8a9e626d98f.json +++ b/ics-attack/relationship/relationship--0b6cd19f-ee13-4224-9e22-f8a9e626d98f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fd2111b8-f7ed-4208-86cb-1b0e74f37285", + "id": "bundle--0d2c71c4-deb3-48b2-a564-23c57a7c75b1", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--0b6cd19f-ee13-4224-9e22-f8a9e626d98f", "created": "2023-09-28T21:22:48.239Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:01.731Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--0ba1db3a-389a-4937-975b-d2dc0142cb4b.json b/ics-attack/relationship/relationship--0ba1db3a-389a-4937-975b-d2dc0142cb4b.json index 12cbc2804c..9342a96f63 100644 --- a/ics-attack/relationship/relationship--0ba1db3a-389a-4937-975b-d2dc0142cb4b.json +++ b/ics-attack/relationship/relationship--0ba1db3a-389a-4937-975b-d2dc0142cb4b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--986cf679-3926-4cb4-ba19-f47d3a852d4d", + "id": "bundle--9c91587e-9ea5-4a7e-ae42-0b0bd67b4786", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--0ba1db3a-389a-4937-975b-d2dc0142cb4b", "created": "2023-09-29T18:46:22.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:02.137Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--0bc90405-24a9-4f84-a1bb-bf953dbca016.json b/ics-attack/relationship/relationship--0bc90405-24a9-4f84-a1bb-bf953dbca016.json index 8de6942edc..d9a1966f96 100644 --- a/ics-attack/relationship/relationship--0bc90405-24a9-4f84-a1bb-bf953dbca016.json +++ b/ics-attack/relationship/relationship--0bc90405-24a9-4f84-a1bb-bf953dbca016.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f395d9f6-52a2-4c2b-846a-0ee3e0136d18", + "id": "bundle--cbf3131b-2de0-4363-b1ed-a5cb2b2c068d", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--0bc90405-24a9-4f84-a1bb-bf953dbca016", "created": "2023-09-28T20:10:34.479Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:02.390Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--3da977ab-c863-4e6f-a5b7-68173160da00.json b/ics-attack/relationship/relationship--0bdfc1b0-3dd2-4170-a39e-98675202a6d2.json similarity index 73% rename from ics-attack/relationship/relationship--3da977ab-c863-4e6f-a5b7-68173160da00.json rename to ics-attack/relationship/relationship--0bdfc1b0-3dd2-4170-a39e-98675202a6d2.json index 878480429c..253739f5c6 100644 --- a/ics-attack/relationship/relationship--3da977ab-c863-4e6f-a5b7-68173160da00.json +++ b/ics-attack/relationship/relationship--0bdfc1b0-3dd2-4170-a39e-98675202a6d2.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--b85004c4-625f-400f-9f65-7d5e7b8b94e6", + "id": "bundle--9dbc1948-9248-431a-a399-87699312bebc", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--3da977ab-c863-4e6f-a5b7-68173160da00", + "id": "relationship--0bdfc1b0-3dd2-4170-a39e-98675202a6d2", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae.json b/ics-attack/relationship/relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae.json index a12fb7c674..19d9ded164 100644 --- a/ics-attack/relationship/relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae.json +++ b/ics-attack/relationship/relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b71f5761-3903-4ca5-a9b2-feb0c10dfe9c", + "id": "bundle--3177c715-bb6b-42f8-a556-a85ca66256bc", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Jacqueline O'Leary et al. September 2017", diff --git a/ics-attack/relationship/relationship--0c145fb9-b67d-41ef-94a8-8bd3a5eabd3e.json b/ics-attack/relationship/relationship--0c145fb9-b67d-41ef-94a8-8bd3a5eabd3e.json index b86950ecd8..ff0ac996c9 100644 --- a/ics-attack/relationship/relationship--0c145fb9-b67d-41ef-94a8-8bd3a5eabd3e.json +++ b/ics-attack/relationship/relationship--0c145fb9-b67d-41ef-94a8-8bd3a5eabd3e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8bc40d4a-c046-4783-abf1-9c7d81b68893", + "id": "bundle--af0812f9-832a-4841-8f8d-8abf50a7fa0c", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--cb273244-c117-4e32-afc7-f72f4e44e179", "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", diff --git a/ics-attack/relationship/relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444.json b/ics-attack/relationship/relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444.json index b8dd14863b..e27e560226 100644 --- a/ics-attack/relationship/relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444.json +++ b/ics-attack/relationship/relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6ab286eb-3ec8-4114-b5e5-efdcec0bf646", + "id": "bundle--eb606b1b-575f-4fba-b95a-1946ab807bda", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444", "created": "2017-05-31T21:33:27.074Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017", diff --git a/ics-attack/relationship/relationship--0c27087a-623e-4c22-91ce-aa86ea57d7ab.json b/ics-attack/relationship/relationship--0c27087a-623e-4c22-91ce-aa86ea57d7ab.json index 180f09ff7b..73a03fb397 100644 --- a/ics-attack/relationship/relationship--0c27087a-623e-4c22-91ce-aa86ea57d7ab.json +++ b/ics-attack/relationship/relationship--0c27087a-623e-4c22-91ce-aa86ea57d7ab.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--129705ec-7363-4120-91bd-104782c5673d", + "id": "bundle--6aff8d31-3486-4284-b09d-6f22dfd3c352", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--0c27087a-623e-4c22-91ce-aa86ea57d7ab", "created": "2025-09-24T18:19:10.881Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64.json b/ics-attack/relationship/relationship--0c68501b-8e36-4d75-9e61-7a518a9ca1f2.json similarity index 77% rename from ics-attack/relationship/relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64.json rename to ics-attack/relationship/relationship--0c68501b-8e36-4d75-9e61-7a518a9ca1f2.json index 1d9378ad50..5b63196596 100644 --- a/ics-attack/relationship/relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64.json +++ b/ics-attack/relationship/relationship--0c68501b-8e36-4d75-9e61-7a518a9ca1f2.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--a2839c6e-d5b3-486a-8fbf-c4d61855b9e3", + "id": "bundle--4aed121f-3ce6-49d1-9ff2-bc8f7a0f080c", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64", + "id": "relationship--0c68501b-8e36-4d75-9e61-7a518a9ca1f2", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", "relationship_type": "mitigates", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0c72593d-fcc6-4023-8771-bed5e243310e.json b/ics-attack/relationship/relationship--0c72593d-fcc6-4023-8771-bed5e243310e.json index 3f5c40439d..b425a82950 100644 --- a/ics-attack/relationship/relationship--0c72593d-fcc6-4023-8771-bed5e243310e.json +++ b/ics-attack/relationship/relationship--0c72593d-fcc6-4023-8771-bed5e243310e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a3a67b41-422a-41e3-a27d-4f0f730b4834", + "id": "bundle--e374601e-0aba-40a9-970b-d8502b6aa0c2", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--0c72593d-fcc6-4023-8771-bed5e243310e", "created": "2023-09-28T21:24:37.417Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:03.462Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--0cce4090-d079-422c-995e-b4f04b280a7d.json b/ics-attack/relationship/relationship--0cce4090-d079-422c-995e-b4f04b280a7d.json index fcac7dc980..ed1fcb9efb 100644 --- a/ics-attack/relationship/relationship--0cce4090-d079-422c-995e-b4f04b280a7d.json +++ b/ics-attack/relationship/relationship--0cce4090-d079-422c-995e-b4f04b280a7d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9ff0e404-9832-4ba7-b0cf-8bf472cb80a8", + "id": "bundle--758d867e-461e-410f-bd69-24014e04438c", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--0cce4090-d079-422c-995e-b4f04b280a7d", "created": "2025-09-29T19:08:40.214Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--ce7c17b7-b60d-4ebd-9014-2c421a64d70a.json b/ics-attack/relationship/relationship--0cd64563-f35e-4cb3-94b9-617c868d3671.json similarity index 76% rename from ics-attack/relationship/relationship--ce7c17b7-b60d-4ebd-9014-2c421a64d70a.json rename to ics-attack/relationship/relationship--0cd64563-f35e-4cb3-94b9-617c868d3671.json index dffee10d5b..b598a7e6ad 100644 --- a/ics-attack/relationship/relationship--ce7c17b7-b60d-4ebd-9014-2c421a64d70a.json +++ b/ics-attack/relationship/relationship--0cd64563-f35e-4cb3-94b9-617c868d3671.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--59d529fe-3841-4b5e-ba79-88aa3623898d", + "id": "bundle--190f908d-cd72-40ef-92b5-25b86e5e19f2", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--ce7c17b7-b60d-4ebd-9014-2c421a64d70a", + "id": "relationship--0cd64563-f35e-4cb3-94b9-617c868d3671", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "Department of Homeland Security September 2016", @@ -18,14 +19,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:26:57.325Z", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "modified": "2026-04-23T19:27:40.834Z", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.(Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0ce4ccc4-4e9e-4a4b-86d4-3c3838229c3d.json b/ics-attack/relationship/relationship--0ce4ccc4-4e9e-4a4b-86d4-3c3838229c3d.json new file mode 100644 index 0000000000..0b8b61dd3f --- /dev/null +++ b/ics-attack/relationship/relationship--0ce4ccc4-4e9e-4a4b-86d4-3c3838229c3d.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--1314ccca-88e0-4b8f-b91b-4cc19add481b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0ce4ccc4-4e9e-4a4b-86d4-3c3838229c3d", + "created": "2026-04-22T22:29:43.440Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:29:43.440Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--322690b0-eb2a-42a4-a072-3241f7b78033.json b/ics-attack/relationship/relationship--0d379c02-d3bb-4698-b30c-985705a9bfd7.json similarity index 75% rename from ics-attack/relationship/relationship--322690b0-eb2a-42a4-a072-3241f7b78033.json rename to ics-attack/relationship/relationship--0d379c02-d3bb-4698-b30c-985705a9bfd7.json index b303faaeee..c915708f98 100644 --- a/ics-attack/relationship/relationship--322690b0-eb2a-42a4-a072-3241f7b78033.json +++ b/ics-attack/relationship/relationship--0d379c02-d3bb-4698-b30c-985705a9bfd7.json @@ -1,21 +1,21 @@ { "type": "bundle", - "id": "bundle--c4b360bf-9334-419f-9500-cecb2fe8a1b0", + "id": "bundle--a325173b-b8e7-452e-8cb2-832bcf6c286f", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--322690b0-eb2a-42a4-a072-3241f7b78033", + "id": "relationship--0d379c02-d3bb-4698-b30c-985705a9bfd7", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--05f7d4e4-ae99-4339-b71a-59f1e317dc6d", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "target_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" diff --git a/ics-attack/relationship/relationship--0d4f2f88-e176-42c7-8258-52b345045662.json b/ics-attack/relationship/relationship--0d4f2f88-e176-42c7-8258-52b345045662.json index 5a202248c0..1a742359ff 100644 --- a/ics-attack/relationship/relationship--0d4f2f88-e176-42c7-8258-52b345045662.json +++ b/ics-attack/relationship/relationship--0d4f2f88-e176-42c7-8258-52b345045662.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3a532f45-421d-49c2-b621-9974c3030d5e", + "id": "bundle--9fb6b937-8bc4-4628-b269-f6790559262e", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--0d4f2f88-e176-42c7-8258-52b345045662", "created": "2022-09-28T20:29:51.844Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "CISA-AA22-103A", diff --git a/ics-attack/relationship/relationship--0d52eea3-394e-492b-944b-9ccb6348329d.json b/ics-attack/relationship/relationship--0d52eea3-394e-492b-944b-9ccb6348329d.json index a744ef10e2..24e89c4fab 100644 --- a/ics-attack/relationship/relationship--0d52eea3-394e-492b-944b-9ccb6348329d.json +++ b/ics-attack/relationship/relationship--0d52eea3-394e-492b-944b-9ccb6348329d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dad27858-e463-45e4-a60f-608f88198db3", + "id": "bundle--003dd0a4-e02f-4d66-b352-a41325881efb", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--0d52eea3-394e-492b-944b-9ccb6348329d", "created": "2023-09-28T21:14:41.633Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:04.553Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--0d537021-040f-4592-a3e0-006be5502615.json b/ics-attack/relationship/relationship--0d537021-040f-4592-a3e0-006be5502615.json new file mode 100644 index 0000000000..cabe4280ee --- /dev/null +++ b/ics-attack/relationship/relationship--0d537021-040f-4592-a3e0-006be5502615.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--01310ff8-83b7-440c-830c-15b18c525d84", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0d537021-040f-4592-a3e0-006be5502615", + "created": "2026-04-22T22:49:50.189Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:49:50.189Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0d563cbc-b22c-4748-b082-db98bb7f0dab.json b/ics-attack/relationship/relationship--0d563cbc-b22c-4748-b082-db98bb7f0dab.json index 0673c80d9a..34f210f892 100644 --- a/ics-attack/relationship/relationship--0d563cbc-b22c-4748-b082-db98bb7f0dab.json +++ b/ics-attack/relationship/relationship--0d563cbc-b22c-4748-b082-db98bb7f0dab.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--adf3881a-c68f-4f0e-999e-c0171f198dfb", + "id": "bundle--6053405e-4ee4-43e0-a909-89499ad1660e", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--0d563cbc-b22c-4748-b082-db98bb7f0dab", "created": "2024-11-20T23:08:24.321Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos FROSTYGOOP 2024", diff --git a/ics-attack/relationship/relationship--0d8e0324-ba8e-4712-a123-60377afe94da.json b/ics-attack/relationship/relationship--0d8e0324-ba8e-4712-a123-60377afe94da.json index 192e18a236..dc242532d3 100644 --- a/ics-attack/relationship/relationship--0d8e0324-ba8e-4712-a123-60377afe94da.json +++ b/ics-attack/relationship/relationship--0d8e0324-ba8e-4712-a123-60377afe94da.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e45f629e-ca81-477b-b472-4351f4bb037d", + "id": "bundle--6f60965f-c65b-43df-9d07-e450273c9ba2", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--0d8e0324-ba8e-4712-a123-60377afe94da", "created": "2023-09-29T18:48:17.073Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:05.201Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--0d985b02-cf5f-4307-92ef-9b45eb41bb1b.json b/ics-attack/relationship/relationship--0d985b02-cf5f-4307-92ef-9b45eb41bb1b.json new file mode 100644 index 0000000000..daa883e532 --- /dev/null +++ b/ics-attack/relationship/relationship--0d985b02-cf5f-4307-92ef-9b45eb41bb1b.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--a7a1bd39-b9f8-43af-967d-2dabf0d49b42", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0d985b02-cf5f-4307-92ef-9b45eb41bb1b", + "created": "2026-04-23T00:32:54.549Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:32:54.549Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--e90f1c0c-f2c5-4fe1-942f-411574df043f", + "target_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0dbf48f3-4579-4ca2-aceb-19d3e0449136.json b/ics-attack/relationship/relationship--0dbf48f3-4579-4ca2-aceb-19d3e0449136.json index 1734305b60..ead529ca0c 100644 --- a/ics-attack/relationship/relationship--0dbf48f3-4579-4ca2-aceb-19d3e0449136.json +++ b/ics-attack/relationship/relationship--0dbf48f3-4579-4ca2-aceb-19d3e0449136.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0782ce05-3fc7-4397-98f4-375d9e80c8de", + "id": "bundle--2d1f0bc5-4f3f-42b0-aa97-95375a584339", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--0dbf48f3-4579-4ca2-aceb-19d3e0449136", "created": "2023-09-29T17:57:12.010Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:05.408Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--0df0cb6d-0067-48b2-a33e-495415713ab7.json b/ics-attack/relationship/relationship--0df0cb6d-0067-48b2-a33e-495415713ab7.json index c4b3796afe..a532fdbe6b 100644 --- a/ics-attack/relationship/relationship--0df0cb6d-0067-48b2-a33e-495415713ab7.json +++ b/ics-attack/relationship/relationship--0df0cb6d-0067-48b2-a33e-495415713ab7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--af6e9d29-26da-438c-90ce-8a73d1162482", + "id": "bundle--b7b697cd-06ee-4aca-81c2-55ff1ccf3d00", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0e0eed7f-1569-4596-9931-bca61a35dc3b.json b/ics-attack/relationship/relationship--0e0eed7f-1569-4596-9931-bca61a35dc3b.json index 6fc8db213c..cf16ffe2a5 100644 --- a/ics-attack/relationship/relationship--0e0eed7f-1569-4596-9931-bca61a35dc3b.json +++ b/ics-attack/relationship/relationship--0e0eed7f-1569-4596-9931-bca61a35dc3b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--667a54ad-9040-4d6c-948f-5741bb1a7267", + "id": "bundle--f2319c47-d37e-41f2-98ce-cd9d9de7678f", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--0e0eed7f-1569-4596-9931-bca61a35dc3b", "created": "2025-09-29T21:59:48.001Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--0e191d66-fe38-4f28-ad82-6922bd6bcc81.json b/ics-attack/relationship/relationship--0e191d66-fe38-4f28-ad82-6922bd6bcc81.json index 4960b81607..d937cb9bf6 100644 --- a/ics-attack/relationship/relationship--0e191d66-fe38-4f28-ad82-6922bd6bcc81.json +++ b/ics-attack/relationship/relationship--0e191d66-fe38-4f28-ad82-6922bd6bcc81.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b052c950-e38c-46fe-86c0-0d2db636f4d6", + "id": "bundle--f018e62c-e3e0-49b5-8c3b-73cf7d10099c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--0e191d66-fe38-4f28-ad82-6922bd6bcc81", "created": "2024-04-09T20:58:17.933Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:06.044Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--0e263b73-a033-4fac-9d6d-076ab8f8b954.json b/ics-attack/relationship/relationship--0e263b73-a033-4fac-9d6d-076ab8f8b954.json index 82b0746626..28848b400c 100644 --- a/ics-attack/relationship/relationship--0e263b73-a033-4fac-9d6d-076ab8f8b954.json +++ b/ics-attack/relationship/relationship--0e263b73-a033-4fac-9d6d-076ab8f8b954.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f0d5d32c-5935-40d0-a253-78c79a0816b5", + "id": "bundle--f03946c7-8a76-4794-b3f9-058446caea36", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--0e263b73-a033-4fac-9d6d-076ab8f8b954", "created": "2023-09-29T16:27:50.949Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:06.275Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905.json b/ics-attack/relationship/relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905.json index 0aed77a2f3..9f57374af0 100644 --- a/ics-attack/relationship/relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905.json +++ b/ics-attack/relationship/relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--061dbd04-9c2a-4bab-a872-9739c644d3ce", + "id": "bundle--ddf20bb2-3c94-4237-9bb0-b43db5735d26", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", diff --git a/ics-attack/relationship/relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f.json b/ics-attack/relationship/relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f.json index 4bf954b7c9..01f095f263 100644 --- a/ics-attack/relationship/relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f.json +++ b/ics-attack/relationship/relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ce4d4a12-7cd9-4cee-a5f4-2512834c34d9", + "id": "bundle--49eb25b6-c6d4-44dc-b930-a19fc0bc5fb2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0e9d5ca1-5bb1-415f-b31b-d4187d58f4ae.json b/ics-attack/relationship/relationship--0e9d5ca1-5bb1-415f-b31b-d4187d58f4ae.json index ac42597445..9f2a2fa4ce 100644 --- a/ics-attack/relationship/relationship--0e9d5ca1-5bb1-415f-b31b-d4187d58f4ae.json +++ b/ics-attack/relationship/relationship--0e9d5ca1-5bb1-415f-b31b-d4187d58f4ae.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0450fa32-157b-4e89-9405-b71bd6782a24", + "id": "bundle--6e71e3f3-edc4-44cd-9888-0ce3449bac4e", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--0e9d5ca1-5bb1-415f-b31b-d4187d58f4ae", "created": "2025-09-29T19:07:47.713Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--0e9d621b-7d0b-4490-b46f-2a671abca251.json b/ics-attack/relationship/relationship--0e9d621b-7d0b-4490-b46f-2a671abca251.json new file mode 100644 index 0000000000..2d9ddb52b2 --- /dev/null +++ b/ics-attack/relationship/relationship--0e9d621b-7d0b-4490-b46f-2a671abca251.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--5a8bc04c-e9d7-4e91-be45-12fb00649eae", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0e9d621b-7d0b-4490-b46f-2a671abca251", + "created": "2026-04-22T21:40:02.113Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:40:02.113Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8.json b/ics-attack/relationship/relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8.json index c8a7f11233..c83643e578 100644 --- a/ics-attack/relationship/relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8.json +++ b/ics-attack/relationship/relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b5839f54-b10c-41e8-8a83-15ddd4692caa", + "id": "bundle--68d7f19f-f0bc-46b5-b1d9-e0cdc9118f2a", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos", diff --git a/ics-attack/relationship/relationship--0ef1e408-8ebb-4b28-b619-02914b7bae29.json b/ics-attack/relationship/relationship--0ef1e408-8ebb-4b28-b619-02914b7bae29.json index 43bc58cbca..2ef3b7cce9 100644 --- a/ics-attack/relationship/relationship--0ef1e408-8ebb-4b28-b619-02914b7bae29.json +++ b/ics-attack/relationship/relationship--0ef1e408-8ebb-4b28-b619-02914b7bae29.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5656b6e1-f902-449f-a2dd-ce19070fdc22", + "id": "bundle--459ff077-6f62-47e7-8604-f9b9a841bb8c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--0ef1e408-8ebb-4b28-b619-02914b7bae29", "created": "2023-09-29T17:57:34.378Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:07.422Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2.json b/ics-attack/relationship/relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2.json index 0542e3a96c..ba0411219c 100644 --- a/ics-attack/relationship/relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2.json +++ b/ics-attack/relationship/relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fb6e7872-a475-430d-b735-ac6a083a33fd", + "id": "bundle--c2440e82-3db8-42ab-9201-d777cd26cbcd", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Andy Greenburg June 2019", diff --git a/ics-attack/relationship/relationship--0f20baa2-20cd-49de-bfa4-5b9765ceacf1.json b/ics-attack/relationship/relationship--0f20baa2-20cd-49de-bfa4-5b9765ceacf1.json index a199f3d1c0..aa6ca67234 100644 --- a/ics-attack/relationship/relationship--0f20baa2-20cd-49de-bfa4-5b9765ceacf1.json +++ b/ics-attack/relationship/relationship--0f20baa2-20cd-49de-bfa4-5b9765ceacf1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--aeab93d2-2856-4965-80f1-dc66f699df45", + "id": "bundle--a9342eae-842e-40a1-ae1d-16508d04c00d", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--0f20baa2-20cd-49de-bfa4-5b9765ceacf1", "created": "2025-09-29T19:47:19.964Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--0f41614d-c37c-47d1-9616-6dae9b73b532.json b/ics-attack/relationship/relationship--0f41614d-c37c-47d1-9616-6dae9b73b532.json new file mode 100644 index 0000000000..b36cd51876 --- /dev/null +++ b/ics-attack/relationship/relationship--0f41614d-c37c-47d1-9616-6dae9b73b532.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--2a5362bc-183c-4c91-a6bf-6b3f365baf83", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0f41614d-c37c-47d1-9616-6dae9b73b532", + "created": "2026-04-22T17:51:17.695Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T16:19:22.209Z", + "description": "Allow for code signing of any project files stored at rest to prevent unauthorized tampering. Ensure the signing keys are not easily accessible on the same system.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--354ca909-b54d-4c41-b597-9c296b344a43", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0f5295ce-d705-4541-8dda-c569b126d103.json b/ics-attack/relationship/relationship--0f5295ce-d705-4541-8dda-c569b126d103.json index 3a0a744649..599f77a8d8 100644 --- a/ics-attack/relationship/relationship--0f5295ce-d705-4541-8dda-c569b126d103.json +++ b/ics-attack/relationship/relationship--0f5295ce-d705-4541-8dda-c569b126d103.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c72f8506-4841-4b53-8dbd-075ba34b9ce4", + "id": "bundle--218e4961-eaf1-4f8b-86a9-e05e2e0b185f", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--0f5295ce-d705-4541-8dda-c569b126d103", "created": "2023-10-02T20:24:03.723Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:07.855Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", diff --git a/ics-attack/relationship/relationship--0f5710a7-f015-40b8-ad3d-f281699f2b72.json b/ics-attack/relationship/relationship--0f5710a7-f015-40b8-ad3d-f281699f2b72.json index 1105b87a48..99551a633a 100644 --- a/ics-attack/relationship/relationship--0f5710a7-f015-40b8-ad3d-f281699f2b72.json +++ b/ics-attack/relationship/relationship--0f5710a7-f015-40b8-ad3d-f281699f2b72.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e87793a5-539b-4442-8c5f-03672e57c116", + "id": "bundle--4061fa0f-07bc-4649-9cc2-303cff4cf65d", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--0f5710a7-f015-40b8-ad3d-f281699f2b72", "created": "2023-09-29T17:09:11.210Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:08.076Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", diff --git a/ics-attack/relationship/relationship--0f7a9b56-e3b4-4cc9-9ea7-32faebad74b6.json b/ics-attack/relationship/relationship--0f7a9b56-e3b4-4cc9-9ea7-32faebad74b6.json new file mode 100644 index 0000000000..1c9d4ca2ef --- /dev/null +++ b/ics-attack/relationship/relationship--0f7a9b56-e3b4-4cc9-9ea7-32faebad74b6.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--335b5466-afe4-4685-86a5-ccb5b81ac985", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0f7a9b56-e3b4-4cc9-9ea7-32faebad74b6", + "created": "2026-04-22T17:59:09.398Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Aditya K Sood July 2019", + "description": "Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25 ", + "url": "https://www.helpnetsecurity.com/2019/07/10/bacnet-devices/" + }, + { + "source_name": "Colin Gray", + "description": "Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25 ", + "url": "https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6891_HowSDN_CG_20180720_Web2.pdf?v=20190312-231901" + }, + { + "source_name": "D. Parsons and D. Wylie September 2019", + "description": "D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 ", + "url": "https://www.csiac.org/journal-article/practical-industrial-control-system-ics-cybersecurity-it-and-ot-have-converged-discover-and-defend-your-assets/" + }, + { + "source_name": "Josh Rinaldi April 2016", + "description": "Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25 ", + "url": "https://www.rtautomation.com/rtas-blog/still-a-thrill-opc-ua-device-discovery/" + }, + { + "source_name": "Langner November 2018", + "description": "Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25 ", + "url": "https://www.langner.com/2018/11/why-ethernet-ip-changes-the-ot-asset-discovery-game/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:42:26.192Z", + "description": "ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols.(Citation: D. Parsons and D. Wylie September 2019)(Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery(Citation: Josh Rinaldi April 2016), BACnet(Citation: Aditya K Sood July 2019), and Ethernet/IP.(Citation: Langner November 2018)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd.json b/ics-attack/relationship/relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd.json index 202c131444..0a0830bddf 100644 --- a/ics-attack/relationship/relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd.json +++ b/ics-attack/relationship/relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1dee919b-5df1-48ae-8cbb-f8dbbb66017c", + "id": "bundle--175fc426-cd25-43d0-83be-4d25e0d8b663", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--bffad8de-a807-4216-9753-008a87d9d77f.json b/ics-attack/relationship/relationship--0fd7d59d-9622-41c0-8e41-4ac4d1ac6655.json similarity index 71% rename from ics-attack/relationship/relationship--bffad8de-a807-4216-9753-008a87d9d77f.json rename to ics-attack/relationship/relationship--0fd7d59d-9622-41c0-8e41-4ac4d1ac6655.json index 594506b64b..67b9726a87 100644 --- a/ics-attack/relationship/relationship--bffad8de-a807-4216-9753-008a87d9d77f.json +++ b/ics-attack/relationship/relationship--0fd7d59d-9622-41c0-8e41-4ac4d1ac6655.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--94521102-8757-40d5-ab67-b53040000080", + "id": "bundle--04a26985-3d05-4606-9deb-219ea33985a0", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--bffad8de-a807-4216-9753-008a87d9d77f", + "id": "relationship--0fd7d59d-9622-41c0-8e41-4ac4d1ac6655", "created": "2023-09-28T19:56:40.730Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:31.162Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "source_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b.json b/ics-attack/relationship/relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b.json index 83749a9fcb..05c169d600 100644 --- a/ics-attack/relationship/relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b.json +++ b/ics-attack/relationship/relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4b12652f-ee9f-4d0e-a667-99011fde27ce", + "id": "bundle--121ac442-a848-4895-9852-b578e169bdb1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3.json b/ics-attack/relationship/relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3.json index a69c5b5e03..47ef708a58 100644 --- a/ics-attack/relationship/relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3.json +++ b/ics-attack/relationship/relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ec8d3f16-5368-42f8-954f-06a2158f150e", + "id": "bundle--72c72348-219c-4be3-bf66-6dc9b8122e30", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--10022aa8-b77b-4173-bcea-bc92d2b9f756.json b/ics-attack/relationship/relationship--10022aa8-b77b-4173-bcea-bc92d2b9f756.json new file mode 100644 index 0000000000..be090c079f --- /dev/null +++ b/ics-attack/relationship/relationship--10022aa8-b77b-4173-bcea-bc92d2b9f756.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--e269e9ca-1f97-47a5-b1e5-3d1e2f5bff5b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--10022aa8-b77b-4173-bcea-bc92d2b9f756", + "created": "2026-04-22T18:59:05.627Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T18:59:05.627Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--10118728-17b8-41a2-b4d6-d8661bc177df.json b/ics-attack/relationship/relationship--10118728-17b8-41a2-b4d6-d8661bc177df.json index b392d8dbf1..84ed730c22 100644 --- a/ics-attack/relationship/relationship--10118728-17b8-41a2-b4d6-d8661bc177df.json +++ b/ics-attack/relationship/relationship--10118728-17b8-41a2-b4d6-d8661bc177df.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--551d062e-ca7d-4e14-8338-ab3cec7402cf", + "id": "bundle--3d24ab77-94db-416c-85ba-86d69497bdc8", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--10118728-17b8-41a2-b4d6-d8661bc177df", "created": "2025-09-29T19:06:51.691Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--102553a8-d57d-4946-a9f0-086ef1683e1d.json b/ics-attack/relationship/relationship--102553a8-d57d-4946-a9f0-086ef1683e1d.json new file mode 100644 index 0000000000..c2047da97e --- /dev/null +++ b/ics-attack/relationship/relationship--102553a8-d57d-4946-a9f0-086ef1683e1d.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--148bccd3-d489-467b-a8e7-7c6915bffdd4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--102553a8-d57d-4946-a9f0-086ef1683e1d", + "created": "2026-04-22T22:32:16.270Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:32:16.270Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--bb141168-ae41-4974-8ece-dc9b63e59237", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523.json b/ics-attack/relationship/relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523.json index 2633b697c5..c11efacbad 100644 --- a/ics-attack/relationship/relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523.json +++ b/ics-attack/relationship/relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e2bb3b3f-103f-4f0a-b420-a04f7ef69b80", + "id": "bundle--afcc89f1-6e26-45f1-9419-ce918a486cdf", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--10626671-941d-4a82-a835-56059058ef87.json b/ics-attack/relationship/relationship--10626671-941d-4a82-a835-56059058ef87.json index f1a08bb492..9854ef8b77 100644 --- a/ics-attack/relationship/relationship--10626671-941d-4a82-a835-56059058ef87.json +++ b/ics-attack/relationship/relationship--10626671-941d-4a82-a835-56059058ef87.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--256e6f07-e6dc-4667-b30c-8e7a8d275845", + "id": "bundle--f367c624-22eb-4580-a7a2-d693afdbfa43", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--106530e1-375a-4ac4-befb-8297b3b05610.json b/ics-attack/relationship/relationship--106530e1-375a-4ac4-befb-8297b3b05610.json index 9ee427bc68..8a0f73e239 100644 --- a/ics-attack/relationship/relationship--106530e1-375a-4ac4-befb-8297b3b05610.json +++ b/ics-attack/relationship/relationship--106530e1-375a-4ac4-befb-8297b3b05610.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e7eb1a22-b05e-4811-ab0d-119e507a7c48", + "id": "bundle--7efc5876-6f2c-4e5d-b3cd-55d45607be91", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--106530e1-375a-4ac4-befb-8297b3b05610", "created": "2023-09-29T18:55:58.199Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:09.431Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", diff --git a/ics-attack/relationship/relationship--107d9a23-991b-44f5-97f6-7f6983c7013a.json b/ics-attack/relationship/relationship--107d9a23-991b-44f5-97f6-7f6983c7013a.json index 7f2406ad0b..8ae5332f2e 100644 --- a/ics-attack/relationship/relationship--107d9a23-991b-44f5-97f6-7f6983c7013a.json +++ b/ics-attack/relationship/relationship--107d9a23-991b-44f5-97f6-7f6983c7013a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fd909fc5-1543-4f24-8b7f-2637f8317067", + "id": "bundle--48767e56-95bc-43c3-99d2-95727b14f85d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--111f437a-c67d-40e4-9515-7e9b22e65eff.json b/ics-attack/relationship/relationship--111f437a-c67d-40e4-9515-7e9b22e65eff.json index eef0859df9..eab30954c3 100644 --- a/ics-attack/relationship/relationship--111f437a-c67d-40e4-9515-7e9b22e65eff.json +++ b/ics-attack/relationship/relationship--111f437a-c67d-40e4-9515-7e9b22e65eff.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c286d82f-5a67-4e26-b145-cb44cfc124d0", + "id": "bundle--10413778-a077-407b-817c-f81f0bb463da", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--dede1ad8-7375-4d53-8a18-ac88008c78e1.json b/ics-attack/relationship/relationship--112ef370-9936-4c3a-9faf-2861600500bd.json similarity index 78% rename from ics-attack/relationship/relationship--dede1ad8-7375-4d53-8a18-ac88008c78e1.json rename to ics-attack/relationship/relationship--112ef370-9936-4c3a-9faf-2861600500bd.json index 7025cd76d4..c47448ccac 100644 --- a/ics-attack/relationship/relationship--dede1ad8-7375-4d53-8a18-ac88008c78e1.json +++ b/ics-attack/relationship/relationship--112ef370-9936-4c3a-9faf-2861600500bd.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--283102a2-19ea-4213-8c40-6294659ac063", + "id": "bundle--f88cea44-daec-4e79-af64-ca5569126795", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--dede1ad8-7375-4d53-8a18-ac88008c78e1", + "id": "relationship--112ef370-9936-4c3a-9faf-2861600500bd", "created": "2025-09-29T22:06:41.935Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -14,7 +14,7 @@ ], "modified": "2025-09-29T22:06:41.935Z", "relationship_type": "targets", - "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "source_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, diff --git a/ics-attack/relationship/relationship--11840b30-f0d1-4df5-a960-cdb80749c32a.json b/ics-attack/relationship/relationship--11840b30-f0d1-4df5-a960-cdb80749c32a.json index 7fcfddd36d..ebf6386da3 100644 --- a/ics-attack/relationship/relationship--11840b30-f0d1-4df5-a960-cdb80749c32a.json +++ b/ics-attack/relationship/relationship--11840b30-f0d1-4df5-a960-cdb80749c32a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1a6d2a5f-1b99-4981-a10c-6d7003713c4f", + "id": "bundle--219f3392-4645-4430-a494-ede2f50903bd", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--11840b30-f0d1-4df5-a960-cdb80749c32a", "created": "2023-09-29T17:07:25.209Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:10.529Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", diff --git a/ics-attack/relationship/relationship--119aea8f-443f-4831-8143-ec6cd43021cb.json b/ics-attack/relationship/relationship--119aea8f-443f-4831-8143-ec6cd43021cb.json new file mode 100644 index 0000000000..7e7e6e5ea6 --- /dev/null +++ b/ics-attack/relationship/relationship--119aea8f-443f-4831-8143-ec6cd43021cb.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--cb1fbee7-f75a-4c77-a93a-ba4342151c0d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--119aea8f-443f-4831-8143-ec6cd43021cb", + "created": "2026-04-20T20:58:48.359Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:58:48.359Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--11a82651-4d69-4738-89c6-17d0243cbbb0.json b/ics-attack/relationship/relationship--11a82651-4d69-4738-89c6-17d0243cbbb0.json index cef7d4730a..17e7e16e06 100644 --- a/ics-attack/relationship/relationship--11a82651-4d69-4738-89c6-17d0243cbbb0.json +++ b/ics-attack/relationship/relationship--11a82651-4d69-4738-89c6-17d0243cbbb0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6617d9f7-86a1-4c76-a123-36a7dc3e3a65", + "id": "bundle--a81bec03-81b6-4eae-9e4c-dea20e15993c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--11a82651-4d69-4738-89c6-17d0243cbbb0", "created": "2023-09-29T17:37:26.536Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:10.753Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--10bdec75-567b-4b5a-aaa9-d935ebbba349.json b/ics-attack/relationship/relationship--11b201bc-675b-46ac-89a6-80f90deecc12.json similarity index 75% rename from ics-attack/relationship/relationship--10bdec75-567b-4b5a-aaa9-d935ebbba349.json rename to ics-attack/relationship/relationship--11b201bc-675b-46ac-89a6-80f90deecc12.json index cb248b3c1e..f53fb1eeb9 100644 --- a/ics-attack/relationship/relationship--10bdec75-567b-4b5a-aaa9-d935ebbba349.json +++ b/ics-attack/relationship/relationship--11b201bc-675b-46ac-89a6-80f90deecc12.json @@ -1,21 +1,21 @@ { "type": "bundle", - "id": "bundle--db130aa4-25b9-45e8-83d4-b60879cea0f6", + "id": "bundle--382cca55-cd7d-4fa3-aadd-e00331f46013", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--10bdec75-567b-4b5a-aaa9-d935ebbba349", + "id": "relationship--11b201bc-675b-46ac-89a6-80f90deecc12", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--2a1619a7-dd27-48e4-b56f-806cb3d2e405", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "target_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" diff --git a/ics-attack/relationship/relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab.json b/ics-attack/relationship/relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab.json index 111d9f0505..3714fbdbf7 100644 --- a/ics-attack/relationship/relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab.json +++ b/ics-attack/relationship/relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--74ab6820-e8bd-4215-a830-cf1be3624b83", + "id": "bundle--87ad362f-65fb-440a-9eb1-efef910c1c18", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab", "created": "2021-04-13T12:28:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Ben Hunter and Fred Gutierrez July 2020", diff --git a/ics-attack/relationship/relationship--128de3f9-df58-4122-9523-0ac65a6ebf71.json b/ics-attack/relationship/relationship--128de3f9-df58-4122-9523-0ac65a6ebf71.json index 0dada665ac..217c8f9469 100644 --- a/ics-attack/relationship/relationship--128de3f9-df58-4122-9523-0ac65a6ebf71.json +++ b/ics-attack/relationship/relationship--128de3f9-df58-4122-9523-0ac65a6ebf71.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3871bc7b-a925-451d-ac13-dc93a23d465c", + "id": "bundle--2f3a4005-9c30-4a9e-b911-e07295fba727", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--128de3f9-df58-4122-9523-0ac65a6ebf71", "created": "2023-09-29T17:45:20.237Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:11.438Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--129a4d3f-fa4a-42c3-833e-8f15155b9693.json b/ics-attack/relationship/relationship--129a4d3f-fa4a-42c3-833e-8f15155b9693.json index 6bb73f11eb..1e2c036593 100644 --- a/ics-attack/relationship/relationship--129a4d3f-fa4a-42c3-833e-8f15155b9693.json +++ b/ics-attack/relationship/relationship--129a4d3f-fa4a-42c3-833e-8f15155b9693.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8eead125-e832-46ce-a9a8-e7c81d35a137", + "id": "bundle--4bd2941e-25c7-436c-87a4-b3d033226584", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed.json b/ics-attack/relationship/relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed.json index e7667e585c..b06bd37f63 100644 --- a/ics-attack/relationship/relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed.json +++ b/ics-attack/relationship/relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e47aa06d-ebe3-4a42-929e-e35efc8f4981", + "id": "bundle--86d1ca7d-df94-4070-bcce-d0f0daf2925e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--12d6fc4f-bf06-4146-a387-4cb86f0f44a4.json b/ics-attack/relationship/relationship--12d6fc4f-bf06-4146-a387-4cb86f0f44a4.json index 61b551b3c1..ba5dce4644 100644 --- a/ics-attack/relationship/relationship--12d6fc4f-bf06-4146-a387-4cb86f0f44a4.json +++ b/ics-attack/relationship/relationship--12d6fc4f-bf06-4146-a387-4cb86f0f44a4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a1d5506a-1e9b-4107-a741-c933d5a9f105", + "id": "bundle--7af3907e-59d9-471e-9eac-1d6a2417e2ba", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--12d6fc4f-bf06-4146-a387-4cb86f0f44a4", "created": "2023-09-28T21:13:23.057Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:12.182Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--12e84466-fb05-4d55-9220-5933ee0fcb43.json b/ics-attack/relationship/relationship--12e84466-fb05-4d55-9220-5933ee0fcb43.json index 5e7177074b..6979553168 100644 --- a/ics-attack/relationship/relationship--12e84466-fb05-4d55-9220-5933ee0fcb43.json +++ b/ics-attack/relationship/relationship--12e84466-fb05-4d55-9220-5933ee0fcb43.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--69d422e4-b81d-4057-9481-97009fbb03d4", + "id": "bundle--f3f5d165-fab2-47a0-a543-61dbee45db77", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--12e84466-fb05-4d55-9220-5933ee0fcb43", "created": "2024-11-20T23:16:42.816Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos FROSTYGOOP 2024", diff --git a/ics-attack/relationship/relationship--12fdacea-28f7-4113-ae67-0b19e1ab5e36.json b/ics-attack/relationship/relationship--12fdacea-28f7-4113-ae67-0b19e1ab5e36.json index 40e05e9a53..5119569841 100644 --- a/ics-attack/relationship/relationship--12fdacea-28f7-4113-ae67-0b19e1ab5e36.json +++ b/ics-attack/relationship/relationship--12fdacea-28f7-4113-ae67-0b19e1ab5e36.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--beb4b6bd-f10b-45e0-a57f-4a54b9638cc7", + "id": "bundle--017b9d10-a7f5-42ef-a2a7-822657c5f3bf", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--12fdacea-28f7-4113-ae67-0b19e1ab5e36", "created": "2023-09-28T19:39:58.335Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:12.635Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--135b08ae-715b-4f45-9f03-0d156547e09b.json b/ics-attack/relationship/relationship--135b08ae-715b-4f45-9f03-0d156547e09b.json index d5286d1c58..080c7dfda8 100644 --- a/ics-attack/relationship/relationship--135b08ae-715b-4f45-9f03-0d156547e09b.json +++ b/ics-attack/relationship/relationship--135b08ae-715b-4f45-9f03-0d156547e09b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1a30860b-78b6-4c23-a27c-8cfe3e56f074", + "id": "bundle--61740492-c8c0-4885-8c4e-6bc22f28f762", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--135b08ae-715b-4f45-9f03-0d156547e09b", "created": "2025-09-24T18:18:19.305Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--137ce4a2-be4c-4eb7-b92c-d686fa2a1044.json b/ics-attack/relationship/relationship--137ce4a2-be4c-4eb7-b92c-d686fa2a1044.json new file mode 100644 index 0000000000..00869157f9 --- /dev/null +++ b/ics-attack/relationship/relationship--137ce4a2-be4c-4eb7-b92c-d686fa2a1044.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--70791387-44ae-426f-ba32-42921786ca32", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--137ce4a2-be4c-4eb7-b92c-d686fa2a1044", + "created": "2026-04-23T00:04:33.425Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:32:08.567Z", + "description": "Utilize code signatures to verify the integrity and authenticity of programs downloaded to the device.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--13809e98-1d74-4c39-b882-9d523c76cbde.json b/ics-attack/relationship/relationship--13809e98-1d74-4c39-b882-9d523c76cbde.json index 26cf441dc6..ce5bdd7f7d 100644 --- a/ics-attack/relationship/relationship--13809e98-1d74-4c39-b882-9d523c76cbde.json +++ b/ics-attack/relationship/relationship--13809e98-1d74-4c39-b882-9d523c76cbde.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d0bd0848-d1e3-478b-abad-686f6316a29f", + "id": "bundle--a9ea7995-4282-4b0f-b465-5f2a9a886b4a", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--13809e98-1d74-4c39-b882-9d523c76cbde", "created": "2021-04-13T12:36:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Jos Wetzels January 2018", diff --git a/ics-attack/relationship/relationship--13cfe7cd-6ee4-4d8c-8c3e-b115686b7da7.json b/ics-attack/relationship/relationship--13cfe7cd-6ee4-4d8c-8c3e-b115686b7da7.json new file mode 100644 index 0000000000..1abdfb4ddf --- /dev/null +++ b/ics-attack/relationship/relationship--13cfe7cd-6ee4-4d8c-8c3e-b115686b7da7.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--e5961f35-76e6-4937-a2fb-c667da38e885", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--13cfe7cd-6ee4-4d8c-8c3e-b115686b7da7", + "created": "2026-04-22T21:39:01.006Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:39:01.006Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--13d76624-7049-45c5-94d3-8f172b7f6336.json b/ics-attack/relationship/relationship--13d76624-7049-45c5-94d3-8f172b7f6336.json index 35d6b231fa..e36068ae1c 100644 --- a/ics-attack/relationship/relationship--13d76624-7049-45c5-94d3-8f172b7f6336.json +++ b/ics-attack/relationship/relationship--13d76624-7049-45c5-94d3-8f172b7f6336.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--62b40034-1f22-44be-864e-86f2a7337a79", + "id": "bundle--8ecbc201-697a-4cd4-bda1-dc5a9a23a7c8", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--13d76624-7049-45c5-94d3-8f172b7f6336", "created": "2023-09-27T14:48:58.922Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", diff --git a/ics-attack/relationship/relationship--4f4e2e9e-6f9a-4c9c-af2b-4db4ec444c93.json b/ics-attack/relationship/relationship--14055bc9-dc7c-47db-b541-77d05d486018.json similarity index 71% rename from ics-attack/relationship/relationship--4f4e2e9e-6f9a-4c9c-af2b-4db4ec444c93.json rename to ics-attack/relationship/relationship--14055bc9-dc7c-47db-b541-77d05d486018.json index 2799f267d0..3be9ce94cd 100644 --- a/ics-attack/relationship/relationship--4f4e2e9e-6f9a-4c9c-af2b-4db4ec444c93.json +++ b/ics-attack/relationship/relationship--14055bc9-dc7c-47db-b541-77d05d486018.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--b66e7cc8-0741-4603-9be4-f8a1d0efad4c", + "id": "bundle--079c3fcb-b6a3-4f77-9d16-e190933bc87d", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--4f4e2e9e-6f9a-4c9c-af2b-4db4ec444c93", + "id": "relationship--14055bc9-dc7c-47db-b541-77d05d486018", "created": "2023-09-29T17:57:55.162Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:20.428Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "source_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--14178a60-b894-4186-b83b-5ffd043f4cfc.json b/ics-attack/relationship/relationship--14178a60-b894-4186-b83b-5ffd043f4cfc.json index 4813e7769a..adee083644 100644 --- a/ics-attack/relationship/relationship--14178a60-b894-4186-b83b-5ffd043f4cfc.json +++ b/ics-attack/relationship/relationship--14178a60-b894-4186-b83b-5ffd043f4cfc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bc7ee0dc-432b-4ca1-bb13-35a8c321d9ce", + "id": "bundle--880b20af-fef7-4930-b015-76d65efb9146", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--709e05b2-6400-43a2-9bbf-b64f6017b023", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", diff --git a/ics-attack/relationship/relationship--1429cd78-4e2a-4898-a7d8-d01a0c465bd6.json b/ics-attack/relationship/relationship--1429cd78-4e2a-4898-a7d8-d01a0c465bd6.json index 6201e629db..f0d61ee13a 100644 --- a/ics-attack/relationship/relationship--1429cd78-4e2a-4898-a7d8-d01a0c465bd6.json +++ b/ics-attack/relationship/relationship--1429cd78-4e2a-4898-a7d8-d01a0c465bd6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0df9d6b2-d32e-4c74-8600-9e34660b1588", + "id": "bundle--6683d74c-9a8b-4b79-8f99-e48d671bc6b3", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--1429cd78-4e2a-4898-a7d8-d01a0c465bd6", "created": "2023-10-02T20:24:12.666Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:13.959Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", diff --git a/ics-attack/relationship/relationship--144f6ce7-d2b2-4a76-85d2-251191a0d2cc.json b/ics-attack/relationship/relationship--144f6ce7-d2b2-4a76-85d2-251191a0d2cc.json index a10887f5bb..0659108d0b 100644 --- a/ics-attack/relationship/relationship--144f6ce7-d2b2-4a76-85d2-251191a0d2cc.json +++ b/ics-attack/relationship/relationship--144f6ce7-d2b2-4a76-85d2-251191a0d2cc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--07ffa0a8-bd8c-495c-8a81-0d3feae6d6e8", + "id": "bundle--2d4c912d-0b9d-47a7-9e4e-69cb5018745b", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--144f6ce7-d2b2-4a76-85d2-251191a0d2cc", "created": "2023-09-29T16:32:33.078Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:14.173Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--14c73603-a6d2-4a8d-9904-0f8249aaa495.json b/ics-attack/relationship/relationship--14c73603-a6d2-4a8d-9904-0f8249aaa495.json index b6d50dafb9..49b1a6f460 100644 --- a/ics-attack/relationship/relationship--14c73603-a6d2-4a8d-9904-0f8249aaa495.json +++ b/ics-attack/relationship/relationship--14c73603-a6d2-4a8d-9904-0f8249aaa495.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c229bd81-d7b2-4b3a-aa02-e65c9252b34f", + "id": "bundle--fabface9-bf87-4b45-9295-c29ba1dfab6b", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--14c73603-a6d2-4a8d-9904-0f8249aaa495", "created": "2023-09-29T16:40:06.079Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:14.631Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--152dbbf5-b069-4784-aabd-c50e2fd6bd53.json b/ics-attack/relationship/relationship--152dbbf5-b069-4784-aabd-c50e2fd6bd53.json new file mode 100644 index 0000000000..dc5fa8083b --- /dev/null +++ b/ics-attack/relationship/relationship--152dbbf5-b069-4784-aabd-c50e2fd6bd53.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--2d99073c-f088-48ac-b94c-b5c5fa3eefef", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--152dbbf5-b069-4784-aabd-c50e2fd6bd53", + "created": "2026-04-22T22:51:33.389Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:51:33.389Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--bb553fda-8355-40bc-87c6-5ae25124fa95", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1531a280-e280-465c-826d-ce357935a89c.json b/ics-attack/relationship/relationship--1531a280-e280-465c-826d-ce357935a89c.json index 773c4fe9f6..fad1881809 100644 --- a/ics-attack/relationship/relationship--1531a280-e280-465c-826d-ce357935a89c.json +++ b/ics-attack/relationship/relationship--1531a280-e280-465c-826d-ce357935a89c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--17afb330-27a4-46a9-a4a2-0d41c6b2b0a3", + "id": "bundle--80d7f067-b9c0-45dd-9ec6-c19f36a86a00", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--ec442b22-3dc8-4b2b-8294-b76b0f01d748", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", diff --git a/ics-attack/relationship/relationship--15377914-bf08-4c7e-ab00-1e272e2f3c1a.json b/ics-attack/relationship/relationship--15377914-bf08-4c7e-ab00-1e272e2f3c1a.json index 0fe37a3d1f..7bbd56c4de 100644 --- a/ics-attack/relationship/relationship--15377914-bf08-4c7e-ab00-1e272e2f3c1a.json +++ b/ics-attack/relationship/relationship--15377914-bf08-4c7e-ab00-1e272e2f3c1a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--178c9b17-b36f-47c5-91ec-e90bef957221", + "id": "bundle--cb4f92be-ec6c-4e08-97c2-60cd5e52935e", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--15377914-bf08-4c7e-ab00-1e272e2f3c1a", "created": "2023-09-28T19:47:25.303Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:15.092Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--1582107d-95dd-41ba-b2c0-72200b93a292.json b/ics-attack/relationship/relationship--1582107d-95dd-41ba-b2c0-72200b93a292.json new file mode 100644 index 0000000000..d2d92d0db9 --- /dev/null +++ b/ics-attack/relationship/relationship--1582107d-95dd-41ba-b2c0-72200b93a292.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--3f7a41f4-3a12-4386-8fe2-1ac98a36a642", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1582107d-95dd-41ba-b2c0-72200b93a292", + "created": "2026-04-22T20:17:49.689Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:18:26.772Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries changed the login password of Moxa NPort Serial Device Servers to impede system recovery.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--159fb736-ba92-4564-aa6d-db6f64497763.json b/ics-attack/relationship/relationship--159fb736-ba92-4564-aa6d-db6f64497763.json index 8396453e0e..9b719f37f1 100644 --- a/ics-attack/relationship/relationship--159fb736-ba92-4564-aa6d-db6f64497763.json +++ b/ics-attack/relationship/relationship--159fb736-ba92-4564-aa6d-db6f64497763.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5bfae099-d6bf-4221-8693-a754c831cb9a", + "id": "bundle--486f3f89-b2e0-414f-b231-b3ac20201e96", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--159fb736-ba92-4564-aa6d-db6f64497763", "created": "2023-09-28T20:25:59.717Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:15.566Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--165e3427-8738-4a89-9964-4593c671e855.json b/ics-attack/relationship/relationship--165e3427-8738-4a89-9964-4593c671e855.json index 07c58345f0..faf3888866 100644 --- a/ics-attack/relationship/relationship--165e3427-8738-4a89-9964-4593c671e855.json +++ b/ics-attack/relationship/relationship--165e3427-8738-4a89-9964-4593c671e855.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--951668d0-0618-4c61-b43f-ea972eb535a5", + "id": "bundle--7fd671ed-beec-49ea-b0cb-f93d7830a73e", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--b817139c-2941-4523-bfb5-10c36d230871", "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", diff --git a/ics-attack/relationship/relationship--1673b2e2-7799-4b5f-b5a9-2c51426a6916.json b/ics-attack/relationship/relationship--1673b2e2-7799-4b5f-b5a9-2c51426a6916.json index c441e1a3e1..52bbf598f0 100644 --- a/ics-attack/relationship/relationship--1673b2e2-7799-4b5f-b5a9-2c51426a6916.json +++ b/ics-attack/relationship/relationship--1673b2e2-7799-4b5f-b5a9-2c51426a6916.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9e3cf46f-83bf-4735-95e6-9195179ffc41", + "id": "bundle--b62868b4-cafa-4a61-ba35-754d417f5cfc", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--1673b2e2-7799-4b5f-b5a9-2c51426a6916", "created": "2024-03-25T20:10:21.706Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Jamie Tarabay and Katrina Manson December 2023", diff --git a/ics-attack/relationship/relationship--16ac0172-02d1-4fda-99c0-61f1cef7dc4b.json b/ics-attack/relationship/relationship--16ac0172-02d1-4fda-99c0-61f1cef7dc4b.json index 7d809b0223..e4cb2aa7aa 100644 --- a/ics-attack/relationship/relationship--16ac0172-02d1-4fda-99c0-61f1cef7dc4b.json +++ b/ics-attack/relationship/relationship--16ac0172-02d1-4fda-99c0-61f1cef7dc4b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4a8622df-ea34-452c-b498-a087fa6e6c19", + "id": "bundle--4900eeaa-073f-4b43-8e5a-077b209fd14e", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--16ac0172-02d1-4fda-99c0-61f1cef7dc4b", "created": "2023-09-28T20:06:03.889Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:16.202Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--16b74b29-e3b3-49ff-9ff4-cd7ade0f8ff4.json b/ics-attack/relationship/relationship--16b74b29-e3b3-49ff-9ff4-cd7ade0f8ff4.json index dcc4862750..baeb9f4ef8 100644 --- a/ics-attack/relationship/relationship--16b74b29-e3b3-49ff-9ff4-cd7ade0f8ff4.json +++ b/ics-attack/relationship/relationship--16b74b29-e3b3-49ff-9ff4-cd7ade0f8ff4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--02d6b937-1ff6-4862-bd49-ceb9b469227f", + "id": "bundle--e4a19811-0697-4faf-86f8-95966ea0dd6f", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--16b74b29-e3b3-49ff-9ff4-cd7ade0f8ff4", "created": "2023-09-29T18:48:52.853Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:16.427Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--86d45e92-80ba-4f97-b3a3-03ad3469658b.json b/ics-attack/relationship/relationship--16b92a53-7334-42b1-bc55-dcd4907fdd9f.json similarity index 73% rename from ics-attack/relationship/relationship--86d45e92-80ba-4f97-b3a3-03ad3469658b.json rename to ics-attack/relationship/relationship--16b92a53-7334-42b1-bc55-dcd4907fdd9f.json index 601b000c95..7673eb51b5 100644 --- a/ics-attack/relationship/relationship--86d45e92-80ba-4f97-b3a3-03ad3469658b.json +++ b/ics-attack/relationship/relationship--16b92a53-7334-42b1-bc55-dcd4907fdd9f.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--ff1b7b6a-1689-4a89-ba7b-89e8b8dc6e39", + "id": "bundle--c6675f89-8beb-42d9-9592-c2292a2a95d3", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--86d45e92-80ba-4f97-b3a3-03ad3469658b", + "id": "relationship--16b92a53-7334-42b1-bc55-dcd4907fdd9f", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "Department of Homeland Security September 2016", @@ -18,14 +19,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:26:06.060Z", - "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "modified": "2026-04-23T19:27:59.202Z", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems.(Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--16c7240e-0559-4c49-9003-1bfe97074252.json b/ics-attack/relationship/relationship--16c7240e-0559-4c49-9003-1bfe97074252.json index cd7f20e5da..763fe17326 100644 --- a/ics-attack/relationship/relationship--16c7240e-0559-4c49-9003-1bfe97074252.json +++ b/ics-attack/relationship/relationship--16c7240e-0559-4c49-9003-1bfe97074252.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7ac8cbde-8d2d-4dc8-9503-53d0ce75e24b", + "id": "bundle--ef7d255a-4b2f-41ce-9c04-00aca68ac5a6", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--16c7240e-0559-4c49-9003-1bfe97074252", "created": "2024-04-09T21:02:28.446Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:16.647Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", diff --git a/ics-attack/relationship/relationship--16cca881-cf8b-4651-9ab1-cc8507cadd58.json b/ics-attack/relationship/relationship--16cca881-cf8b-4651-9ab1-cc8507cadd58.json index d5defdd3d4..e6865c42b6 100644 --- a/ics-attack/relationship/relationship--16cca881-cf8b-4651-9ab1-cc8507cadd58.json +++ b/ics-attack/relationship/relationship--16cca881-cf8b-4651-9ab1-cc8507cadd58.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d1a1e42c-3c0a-4f53-b47d-cfab3f47a0f3", + "id": "bundle--c9548fa7-8347-42a5-95cf-3067a886d019", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--7f32731d-7800-483c-b077-c4a187a27ae5", "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", diff --git a/ics-attack/relationship/relationship--16fe0039-b992-4432-a692-b30bb034e353.json b/ics-attack/relationship/relationship--16fe0039-b992-4432-a692-b30bb034e353.json index 28c6691e33..5b6d2c3ef2 100644 --- a/ics-attack/relationship/relationship--16fe0039-b992-4432-a692-b30bb034e353.json +++ b/ics-attack/relationship/relationship--16fe0039-b992-4432-a692-b30bb034e353.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f4119674-87fb-4e1c-8f2c-494f84d0385b", + "id": "bundle--3eadeb0f-50fb-43cd-bda0-b7dcb8117e11", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--37b4971d-2eb8-4f87-899c-19acaf0394bb", "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", diff --git a/ics-attack/relationship/relationship--171ed9c4-35f4-4674-b52d-d920c1a08912.json b/ics-attack/relationship/relationship--171ed9c4-35f4-4674-b52d-d920c1a08912.json new file mode 100644 index 0000000000..d14f95e9c2 --- /dev/null +++ b/ics-attack/relationship/relationship--171ed9c4-35f4-4674-b52d-d920c1a08912.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--467951d0-afd1-4cbd-b4b7-f369b81e80bd", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--171ed9c4-35f4-4674-b52d-d920c1a08912", + "created": "2026-04-22T13:30:11.351Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T13:30:11.351Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--172e0537-7a9c-4610-9b07-32a841f0bd8d.json b/ics-attack/relationship/relationship--172e0537-7a9c-4610-9b07-32a841f0bd8d.json index 563d1f7661..fb93408070 100644 --- a/ics-attack/relationship/relationship--172e0537-7a9c-4610-9b07-32a841f0bd8d.json +++ b/ics-attack/relationship/relationship--172e0537-7a9c-4610-9b07-32a841f0bd8d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7e876545-95e4-4053-bfa2-c6d7cee358fb", + "id": "bundle--0175a362-43f1-40c2-8933-ad20d5fd2e5e", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--172e0537-7a9c-4610-9b07-32a841f0bd8d", "created": "2023-03-30T18:57:58.377Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Symantec", diff --git a/ics-attack/relationship/relationship--1736df4d-188e-4a44-a8b3-6c6cd71dc749.json b/ics-attack/relationship/relationship--1736df4d-188e-4a44-a8b3-6c6cd71dc749.json index f71a98ee14..a8ac442731 100644 --- a/ics-attack/relationship/relationship--1736df4d-188e-4a44-a8b3-6c6cd71dc749.json +++ b/ics-attack/relationship/relationship--1736df4d-188e-4a44-a8b3-6c6cd71dc749.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--49e759a7-1dca-43cb-bc14-7301da91382b", + "id": "bundle--60158886-856a-45ca-8777-d841adda286d", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--1736df4d-188e-4a44-a8b3-6c6cd71dc749", "created": "2023-09-29T17:05:30.498Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:17.069Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", diff --git a/ics-attack/relationship/relationship--17925772-5935-4f50-bf0e-abb5e0bad6b3.json b/ics-attack/relationship/relationship--17925772-5935-4f50-bf0e-abb5e0bad6b3.json new file mode 100644 index 0000000000..fb768f1cc0 --- /dev/null +++ b/ics-attack/relationship/relationship--17925772-5935-4f50-bf0e-abb5e0bad6b3.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--6b214de5-7373-46d1-a4ef-92f7e011541d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--17925772-5935-4f50-bf0e-abb5e0bad6b3", + "created": "2026-04-22T20:42:55.066Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Aditya K Sood July 2019", + "description": "Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25 ", + "url": "https://www.helpnetsecurity.com/2019/07/10/bacnet-devices/" + }, + { + "source_name": "Colin Gray", + "description": "Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25 ", + "url": "https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6891_HowSDN_CG_20180720_Web2.pdf?v=20190312-231901" + }, + { + "source_name": "D. Parsons and D. Wylie September 2019", + "description": "D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 ", + "url": "https://www.csiac.org/journal-article/practical-industrial-control-system-ics-cybersecurity-it-and-ot-have-converged-discover-and-defend-your-assets/" + }, + { + "source_name": "Josh Rinaldi April 2016", + "description": "Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25 ", + "url": "https://www.rtautomation.com/rtas-blog/still-a-thrill-opc-ua-device-discovery/" + }, + { + "source_name": "Langner November 2018", + "description": "Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25 ", + "url": "https://www.langner.com/2018/11/why-ethernet-ip-changes-the-ot-asset-discovery-game/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:46:57.236Z", + "description": "ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols.(Citation: D. Parsons and D. Wylie September 2019)(Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery (Citation: Josh Rinaldi April 2016), BACnet(Citation: Aditya K Sood July 2019), and Ethernet/IP.(Citation: Langner November 2018)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34.json b/ics-attack/relationship/relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34.json index d5a118facb..786c930e58 100644 --- a/ics-attack/relationship/relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34.json +++ b/ics-attack/relationship/relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--28e01c0e-1cda-4cd9-b24f-b8588ef4cc23", + "id": "bundle--5cc5a539-5f5e-4b00-8c3d-af7e3465955b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--17fd7ffd-63d9-4e1e-8b19-38095b2d65ab.json b/ics-attack/relationship/relationship--17fd7ffd-63d9-4e1e-8b19-38095b2d65ab.json index f45e1c511f..1582c0e8b7 100644 --- a/ics-attack/relationship/relationship--17fd7ffd-63d9-4e1e-8b19-38095b2d65ab.json +++ b/ics-attack/relationship/relationship--17fd7ffd-63d9-4e1e-8b19-38095b2d65ab.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--954d5821-ec9b-4ccf-8c1e-20013011fbf1", + "id": "bundle--4859fd96-b5e7-4488-b76d-844aaeb7541c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--17fd7ffd-63d9-4e1e-8b19-38095b2d65ab", "created": "2023-09-29T17:45:45.485Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:17.759Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--182010e6-59c2-42f5-91c7-510891a96483.json b/ics-attack/relationship/relationship--182010e6-59c2-42f5-91c7-510891a96483.json index 510f37b467..62053c1b8d 100644 --- a/ics-attack/relationship/relationship--182010e6-59c2-42f5-91c7-510891a96483.json +++ b/ics-attack/relationship/relationship--182010e6-59c2-42f5-91c7-510891a96483.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--84e06c50-75fe-4dfc-bcbb-0c2ebc86ae07", + "id": "bundle--489db3f5-ad6b-469e-9e0d-73d5667b544e", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--182010e6-59c2-42f5-91c7-510891a96483", "created": "2025-09-24T17:56:45.611Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--1865830b-511d-4302-99f7-6143647a8e40.json b/ics-attack/relationship/relationship--1865830b-511d-4302-99f7-6143647a8e40.json index ec6fa6ebe5..6f033c5dac 100644 --- a/ics-attack/relationship/relationship--1865830b-511d-4302-99f7-6143647a8e40.json +++ b/ics-attack/relationship/relationship--1865830b-511d-4302-99f7-6143647a8e40.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0cda35ad-df94-4361-a674-2772ccfd8f6e", + "id": "bundle--cd535fc1-ab42-46c3-8d1d-132bcb56d348", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--1865830b-511d-4302-99f7-6143647a8e40", "created": "2023-10-02T20:23:52.339Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:18.192Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", diff --git a/ics-attack/relationship/relationship--18a562d1-0118-4675-9d66-8e9cc138dd43.json b/ics-attack/relationship/relationship--18a562d1-0118-4675-9d66-8e9cc138dd43.json new file mode 100644 index 0000000000..dee7014637 --- /dev/null +++ b/ics-attack/relationship/relationship--18a562d1-0118-4675-9d66-8e9cc138dd43.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--29c081ba-4c88-47c4-a936-7fde572e62bf", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--18a562d1-0118-4675-9d66-8e9cc138dd43", + "created": "2026-04-22T13:29:20.975Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T13:29:20.975Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--18ab56e8-79ce-481d-9ab4-e558fbfb5ac5.json b/ics-attack/relationship/relationship--18ab56e8-79ce-481d-9ab4-e558fbfb5ac5.json index 805bcb06e2..02460d7df4 100644 --- a/ics-attack/relationship/relationship--18ab56e8-79ce-481d-9ab4-e558fbfb5ac5.json +++ b/ics-attack/relationship/relationship--18ab56e8-79ce-481d-9ab4-e558fbfb5ac5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e4db5a06-a81a-48b3-9171-af230bcabc17", + "id": "bundle--4c1e7f19-45ac-4f66-8aaf-810385039946", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--18ab56e8-79ce-481d-9ab4-e558fbfb5ac5", "created": "2024-03-25T20:08:41.065Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "CISA AA23-335A IRGC-Affiliated December 2023", diff --git a/ics-attack/relationship/relationship--18af193c-160a-4cae-9078-4d69de5c2347.json b/ics-attack/relationship/relationship--18af193c-160a-4cae-9078-4d69de5c2347.json index 6946bf4d5c..beae47fd68 100644 --- a/ics-attack/relationship/relationship--18af193c-160a-4cae-9078-4d69de5c2347.json +++ b/ics-attack/relationship/relationship--18af193c-160a-4cae-9078-4d69de5c2347.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c5e8f9bc-717a-4652-9e93-7a1b6321e784", + "id": "bundle--de793be2-85b2-47d4-81b1-41d6a78d2432", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--18af193c-160a-4cae-9078-4d69de5c2347", "created": "2023-09-29T18:56:21.340Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:18.630Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", diff --git a/ics-attack/relationship/relationship--18af4cd0-5941-4754-86b8-5d2389fd5524.json b/ics-attack/relationship/relationship--18af4cd0-5941-4754-86b8-5d2389fd5524.json index 0107d2b016..b34be95e2d 100644 --- a/ics-attack/relationship/relationship--18af4cd0-5941-4754-86b8-5d2389fd5524.json +++ b/ics-attack/relationship/relationship--18af4cd0-5941-4754-86b8-5d2389fd5524.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0a773971-188b-4f52-86ab-2b2f5ad7a0fe", + "id": "bundle--284fd977-10d5-4477-899d-8348337084e6", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--732d2487-3241-4866-8bb5-044bb4acdd3b", "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", diff --git a/ics-attack/relationship/relationship--18cb8770-09ab-48aa-8ead-b3d0030e47dc.json b/ics-attack/relationship/relationship--18cb8770-09ab-48aa-8ead-b3d0030e47dc.json index d2964d450d..8354a3d2a8 100644 --- a/ics-attack/relationship/relationship--18cb8770-09ab-48aa-8ead-b3d0030e47dc.json +++ b/ics-attack/relationship/relationship--18cb8770-09ab-48aa-8ead-b3d0030e47dc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f21d601a-8ad6-442f-8ec3-184407872679", + "id": "bundle--6c85826a-8c21-4d80-8b7c-95b60f0fd5f9", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--18cb8770-09ab-48aa-8ead-b3d0030e47dc", "created": "2025-09-29T19:50:12.817Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--18cdfacf-4eba-4049-b85f-d1cab5106c75.json b/ics-attack/relationship/relationship--18cdfacf-4eba-4049-b85f-d1cab5106c75.json index 1c4508dca2..be9d60b7a7 100644 --- a/ics-attack/relationship/relationship--18cdfacf-4eba-4049-b85f-d1cab5106c75.json +++ b/ics-attack/relationship/relationship--18cdfacf-4eba-4049-b85f-d1cab5106c75.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7578a2d7-90d8-498b-8fd3-90ded8c31ce8", + "id": "bundle--64a5c448-0c46-452e-9825-397d58174d73", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--18cdfacf-4eba-4049-b85f-d1cab5106c75", "created": "2023-09-29T18:02:01.822Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:18.861Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--18ef2d69-d11a-4d31-a803-da989c4073f7.json b/ics-attack/relationship/relationship--18ef2d69-d11a-4d31-a803-da989c4073f7.json index 48615b424a..7f6cd4af11 100644 --- a/ics-attack/relationship/relationship--18ef2d69-d11a-4d31-a803-da989c4073f7.json +++ b/ics-attack/relationship/relationship--18ef2d69-d11a-4d31-a803-da989c4073f7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--85e8bd8f-f1b1-45da-a47b-ae544a8c0fb8", + "id": "bundle--05187834-2f33-452b-a306-30c3cf6429bc", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1992737e-0df0-43c6-8a43-85bf3802e470.json b/ics-attack/relationship/relationship--1992737e-0df0-43c6-8a43-85bf3802e470.json index 750b34921d..ec3d5ae65e 100644 --- a/ics-attack/relationship/relationship--1992737e-0df0-43c6-8a43-85bf3802e470.json +++ b/ics-attack/relationship/relationship--1992737e-0df0-43c6-8a43-85bf3802e470.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--336a19bc-92de-4023-b3c3-081cd2c13194", + "id": "bundle--9fbf0c61-ef1a-4d7e-a772-718abe5e094f", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--eabde43f-1872-499d-9642-85a6959c4d28", "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", diff --git a/ics-attack/relationship/relationship--19ab6776-42de-48af-975a-568d31a3bb66.json b/ics-attack/relationship/relationship--19ab6776-42de-48af-975a-568d31a3bb66.json index 4e11807330..535151438c 100644 --- a/ics-attack/relationship/relationship--19ab6776-42de-48af-975a-568d31a3bb66.json +++ b/ics-attack/relationship/relationship--19ab6776-42de-48af-975a-568d31a3bb66.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--05f5a39e-d1ee-42b6-9084-d44ee16ad817", + "id": "bundle--ec14bfda-4895-497d-88bf-04532941aad6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--19df16da-8247-45ef-be13-ba58b1fb9c1c.json b/ics-attack/relationship/relationship--19df16da-8247-45ef-be13-ba58b1fb9c1c.json index 80e2e7c2f8..c6b7dfd7fd 100644 --- a/ics-attack/relationship/relationship--19df16da-8247-45ef-be13-ba58b1fb9c1c.json +++ b/ics-attack/relationship/relationship--19df16da-8247-45ef-be13-ba58b1fb9c1c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3f016e14-a2a3-4fe9-96b1-b61ea7a7ddff", + "id": "bundle--e85afccd-b3e8-4d76-9185-a20ad608b3c1", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--19df16da-8247-45ef-be13-ba58b1fb9c1c", "created": "2023-09-28T20:11:23.956Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:19.981Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--19e9b914-3cb9-430c-ae02-f8e93fc2d826.json b/ics-attack/relationship/relationship--19e9b914-3cb9-430c-ae02-f8e93fc2d826.json index df1c2cc105..f5db3b9d4c 100644 --- a/ics-attack/relationship/relationship--19e9b914-3cb9-430c-ae02-f8e93fc2d826.json +++ b/ics-attack/relationship/relationship--19e9b914-3cb9-430c-ae02-f8e93fc2d826.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--94139d4a-2992-4385-9295-03287daa8609", + "id": "bundle--ce3b8539-f75c-4a62-a7de-bbf2e6a75b43", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--19e9b914-3cb9-430c-ae02-f8e93fc2d826", "created": "2023-09-28T21:13:49.529Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:20.204Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--1a3ecee5-0237-4e01-8f02-90092c15a2f0.json b/ics-attack/relationship/relationship--1a3ecee5-0237-4e01-8f02-90092c15a2f0.json index 0c6242da25..17fd440198 100644 --- a/ics-attack/relationship/relationship--1a3ecee5-0237-4e01-8f02-90092c15a2f0.json +++ b/ics-attack/relationship/relationship--1a3ecee5-0237-4e01-8f02-90092c15a2f0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c699d5c7-016e-4725-9b17-ce80ed46d5e6", + "id": "bundle--5abc7a51-babb-400c-9041-9445a75e4036", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--1a3ecee5-0237-4e01-8f02-90092c15a2f0", "created": "2023-10-02T20:18:45.122Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:20.422Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", diff --git a/ics-attack/relationship/relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68.json b/ics-attack/relationship/relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68.json index d01d6abaca..d54181892b 100644 --- a/ics-attack/relationship/relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68.json +++ b/ics-attack/relationship/relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7b29b4e8-ffd8-4539-8af8-5a5f16d62330", + "id": "bundle--a376d715-7fe7-4373-b127-c0e705437d25", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1a6d5c5a-c1ac-41a6-8b6e-0d5df81b219f.json b/ics-attack/relationship/relationship--1a6d5c5a-c1ac-41a6-8b6e-0d5df81b219f.json new file mode 100644 index 0000000000..667f90e071 --- /dev/null +++ b/ics-attack/relationship/relationship--1a6d5c5a-c1ac-41a6-8b6e-0d5df81b219f.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--1b30e785-3f70-46b8-88f3-458fc306101f", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1a6d5c5a-c1ac-41a6-8b6e-0d5df81b219f", + "created": "2026-04-22T16:40:14.974Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:40:14.974Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1a900ac4-c150-4b57-a899-990854b01d4b.json b/ics-attack/relationship/relationship--1a900ac4-c150-4b57-a899-990854b01d4b.json index 9d7f1396c7..2980c8f3b9 100644 --- a/ics-attack/relationship/relationship--1a900ac4-c150-4b57-a899-990854b01d4b.json +++ b/ics-attack/relationship/relationship--1a900ac4-c150-4b57-a899-990854b01d4b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b1e662a0-fba1-4b23-ac15-df72722e6465", + "id": "bundle--434da46a-04b6-410f-952d-54f0e7e6e774", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--1a900ac4-c150-4b57-a899-990854b01d4b", "created": "2023-09-29T16:33:50.423Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:20.874Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--1a96ad0d-84df-4b6b-ba4c-8559de5ec356.json b/ics-attack/relationship/relationship--1a96ad0d-84df-4b6b-ba4c-8559de5ec356.json index 1e17bbfa06..0ade1eafcc 100644 --- a/ics-attack/relationship/relationship--1a96ad0d-84df-4b6b-ba4c-8559de5ec356.json +++ b/ics-attack/relationship/relationship--1a96ad0d-84df-4b6b-ba4c-8559de5ec356.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--51e1ccc7-a052-469f-bd05-7c897939aa48", + "id": "bundle--cfddae64-4bae-4072-9180-aa230ebae9a2", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--1a96ad0d-84df-4b6b-ba4c-8559de5ec356", "created": "2023-09-29T18:57:45.950Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:21.089Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", diff --git a/ics-attack/relationship/relationship--1a9ca148-a456-4b66-805f-a2bdfc7a947d.json b/ics-attack/relationship/relationship--1a9ca148-a456-4b66-805f-a2bdfc7a947d.json index 5f069773cb..d8f3e3ab80 100644 --- a/ics-attack/relationship/relationship--1a9ca148-a456-4b66-805f-a2bdfc7a947d.json +++ b/ics-attack/relationship/relationship--1a9ca148-a456-4b66-805f-a2bdfc7a947d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8509a8ae-df66-4b7b-bb49-bba1d306ac5e", + "id": "bundle--2ee33a81-57dc-4839-8330-c71867e06635", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--1a9ca148-a456-4b66-805f-a2bdfc7a947d", "created": "2023-09-28T20:09:21.736Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:21.309Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--1aa02c37-973e-46bd-ab45-609463e514e9.json b/ics-attack/relationship/relationship--1aa02c37-973e-46bd-ab45-609463e514e9.json index 29f6ecb05c..291470c315 100644 --- a/ics-attack/relationship/relationship--1aa02c37-973e-46bd-ab45-609463e514e9.json +++ b/ics-attack/relationship/relationship--1aa02c37-973e-46bd-ab45-609463e514e9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ec59c749-d9d7-42f3-a574-15a0c9a3d2e6", + "id": "bundle--a71307c5-20b3-42af-b6a4-eece94f7e2ed", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1af5c5bb-0d97-4c0a-9174-4dee1ff8b185.json b/ics-attack/relationship/relationship--1af5c5bb-0d97-4c0a-9174-4dee1ff8b185.json index fc8ae49fed..73e853a5c4 100644 --- a/ics-attack/relationship/relationship--1af5c5bb-0d97-4c0a-9174-4dee1ff8b185.json +++ b/ics-attack/relationship/relationship--1af5c5bb-0d97-4c0a-9174-4dee1ff8b185.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--193124b0-c606-4e0d-a0da-2d553767583e", + "id": "bundle--4c5cb8ab-f284-41cc-9fde-c95fe56ab2ba", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--1af5c5bb-0d97-4c0a-9174-4dee1ff8b185", "created": "2023-09-29T18:01:06.725Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:22.157Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--1b36c370-6e82-4c2f-936d-a6fe8aafc73d.json b/ics-attack/relationship/relationship--1b36c370-6e82-4c2f-936d-a6fe8aafc73d.json index 1375acb652..da5db9e2c1 100644 --- a/ics-attack/relationship/relationship--1b36c370-6e82-4c2f-936d-a6fe8aafc73d.json +++ b/ics-attack/relationship/relationship--1b36c370-6e82-4c2f-936d-a6fe8aafc73d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cc4c46f5-f2e4-482f-80ac-42cb89b31827", + "id": "bundle--88e26ddf-be80-4217-a9d6-cf8ebc663a79", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--1b36c370-6e82-4c2f-936d-a6fe8aafc73d", "created": "2024-09-11T22:51:15.202Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Claroty Fuxnet 2024", diff --git a/ics-attack/relationship/relationship--1b94c927-0445-4ed8-80f1-7b31418f60b5.json b/ics-attack/relationship/relationship--1b94c927-0445-4ed8-80f1-7b31418f60b5.json index a4e2c570d2..ad11bb7672 100644 --- a/ics-attack/relationship/relationship--1b94c927-0445-4ed8-80f1-7b31418f60b5.json +++ b/ics-attack/relationship/relationship--1b94c927-0445-4ed8-80f1-7b31418f60b5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fc77b36a-0eca-4dc7-b072-88a0254d2e1d", + "id": "bundle--a5fe454e-d35c-4332-a53e-342f54fdfad6", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--1b94c927-0445-4ed8-80f1-7b31418f60b5", "created": "2023-09-29T17:43:41.332Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:22.572Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--1ba485c9-951e-4e07-8e69-1d0efc372f6b.json b/ics-attack/relationship/relationship--1ba485c9-951e-4e07-8e69-1d0efc372f6b.json index 9d176a605b..92d5188a0d 100644 --- a/ics-attack/relationship/relationship--1ba485c9-951e-4e07-8e69-1d0efc372f6b.json +++ b/ics-attack/relationship/relationship--1ba485c9-951e-4e07-8e69-1d0efc372f6b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e783bd29-039a-4a01-9f3e-2bd069e5e5e3", + "id": "bundle--b5cbda8c-965d-4f9d-8114-3521a459d379", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--1ba485c9-951e-4e07-8e69-1d0efc372f6b", "created": "2023-09-29T16:41:44.745Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:22.779Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--1bb30143-97e5-4bbd-9c2b-1d8de70aa10c.json b/ics-attack/relationship/relationship--1bb30143-97e5-4bbd-9c2b-1d8de70aa10c.json index cb53feb1f2..c2517714b4 100644 --- a/ics-attack/relationship/relationship--1bb30143-97e5-4bbd-9c2b-1d8de70aa10c.json +++ b/ics-attack/relationship/relationship--1bb30143-97e5-4bbd-9c2b-1d8de70aa10c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5ee68111-2121-4883-ae77-83e64d3851ef", + "id": "bundle--75448fa0-3e14-4a1b-813a-ad70f4c0b9fb", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--1bb30143-97e5-4bbd-9c2b-1d8de70aa10c", "created": "2025-09-24T18:24:36.494Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--1bb7b8cf-b584-427c-97e8-e4b60750d308.json b/ics-attack/relationship/relationship--1bb7b8cf-b584-427c-97e8-e4b60750d308.json new file mode 100644 index 0000000000..a25d086ee7 --- /dev/null +++ b/ics-attack/relationship/relationship--1bb7b8cf-b584-427c-97e8-e4b60750d308.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--a37bdc60-235a-4136-a68d-0696a98cf70c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1bb7b8cf-b584-427c-97e8-e4b60750d308", + "created": "2026-04-20T20:54:20.114Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:20.114Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--354ca909-b54d-4c41-b597-9c296b344a43", + "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1bea0610-432c-4cd7-8e0e-8b7bbd09d738.json b/ics-attack/relationship/relationship--1bea0610-432c-4cd7-8e0e-8b7bbd09d738.json index 5ffef86c53..fe53fa87ba 100644 --- a/ics-attack/relationship/relationship--1bea0610-432c-4cd7-8e0e-8b7bbd09d738.json +++ b/ics-attack/relationship/relationship--1bea0610-432c-4cd7-8e0e-8b7bbd09d738.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9d4fe70c-81fb-4034-a4f4-5504327a4d71", + "id": "bundle--e7e61ec0-6602-4530-862e-fa8d0ae8978a", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--1bea0610-432c-4cd7-8e0e-8b7bbd09d738", "created": "2023-09-29T18:00:32.581Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:22.979Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--1c3d966a-5995-48ed-919d-25b972010fe9.json b/ics-attack/relationship/relationship--1c3d966a-5995-48ed-919d-25b972010fe9.json index f86044edb1..df536242a1 100644 --- a/ics-attack/relationship/relationship--1c3d966a-5995-48ed-919d-25b972010fe9.json +++ b/ics-attack/relationship/relationship--1c3d966a-5995-48ed-919d-25b972010fe9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6ade5516-9414-438e-a975-cede25695ab0", + "id": "bundle--80b38b9e-f443-4410-8587-67b326662f20", "spec_version": "2.0", "objects": [ { @@ -19,14 +19,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:01:23.423Z", - "description": "Provide the ability to verify the integrity of programs downloaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", + "modified": "2026-04-23T20:02:42.183Z", + "description": "Provide the ability to verify the integrity of programs downloaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used.(Citation: IEC February 2019)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1c7df4f1-cee5-42c6-a974-29552552666f.json b/ics-attack/relationship/relationship--1c7df4f1-cee5-42c6-a974-29552552666f.json index 30f69c3ebc..1cef0ea69e 100644 --- a/ics-attack/relationship/relationship--1c7df4f1-cee5-42c6-a974-29552552666f.json +++ b/ics-attack/relationship/relationship--1c7df4f1-cee5-42c6-a974-29552552666f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6e988004-6d60-4286-a276-42794439e103", + "id": "bundle--22863722-7b01-4b9b-b466-856bb8cf0d89", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--1c7df4f1-cee5-42c6-a974-29552552666f", "created": "2023-09-28T19:47:08.952Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:23.628Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--1c831708-28c2-47ae-a158-39f1f7b73406.json b/ics-attack/relationship/relationship--1c831708-28c2-47ae-a158-39f1f7b73406.json index 000443966a..9d9511850a 100644 --- a/ics-attack/relationship/relationship--1c831708-28c2-47ae-a158-39f1f7b73406.json +++ b/ics-attack/relationship/relationship--1c831708-28c2-47ae-a158-39f1f7b73406.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--27db8f3e-1c70-4d38-b7e5-e8ec46ddcc2c", + "id": "bundle--01325d39-244f-4500-938e-17b209a3e467", "spec_version": "2.0", "objects": [ { @@ -9,24 +9,17 @@ "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:01:23.875Z", - "description": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 61850 payload component has the ability to discover relevant devices in the infected host's network subnet by attempting to connect on port 102.(Citation: Anton Cherepanov, ESET June 2017)\n\n[Industroyer](https://attack.mitre.org/software/S0604) contains an OPC DA module that enumerates all OPC servers using the `ICatInformation::EnumClassesOfCategories` method with `CATID_OPCDAServer20` category identifier and `IOPCServer::GetStatus` to identify the ones running.", + "modified": "2026-04-23T14:12:46.565Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) contains an OPC DA module that enumerates all OPC servers using the `ICatInformation::EnumClassesOfCategories` method with `CATID_OPCDAServer20` category identifier and `IOPCServer::GetStatus` to identify the ones running.", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2fe222c4-cc81-473d-956e-235e2961a5c3.json b/ics-attack/relationship/relationship--1cb7bae3-c3d7-43ba-8e51-3fd4d13b7680.json similarity index 71% rename from ics-attack/relationship/relationship--2fe222c4-cc81-473d-956e-235e2961a5c3.json rename to ics-attack/relationship/relationship--1cb7bae3-c3d7-43ba-8e51-3fd4d13b7680.json index 1687661a04..beef542ecc 100644 --- a/ics-attack/relationship/relationship--2fe222c4-cc81-473d-956e-235e2961a5c3.json +++ b/ics-attack/relationship/relationship--1cb7bae3-c3d7-43ba-8e51-3fd4d13b7680.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--128a4b1d-e334-4a8f-b80d-a950c2ccd22d", + "id": "bundle--59a49c7b-01e1-47a1-b66e-ecab6b253104", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--2fe222c4-cc81-473d-956e-235e2961a5c3", + "id": "relationship--1cb7bae3-c3d7-43ba-8e51-3fd4d13b7680", "created": "2023-09-29T17:04:26.769Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:46.267Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1cf89a8b-c0f6-4ffb-ae39-36e2a9d3b081.json b/ics-attack/relationship/relationship--1cf89a8b-c0f6-4ffb-ae39-36e2a9d3b081.json index f332805849..e82bd90fb2 100644 --- a/ics-attack/relationship/relationship--1cf89a8b-c0f6-4ffb-ae39-36e2a9d3b081.json +++ b/ics-attack/relationship/relationship--1cf89a8b-c0f6-4ffb-ae39-36e2a9d3b081.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b711d945-84c3-4459-a223-e71e3a6f2e3e", + "id": "bundle--405d35b3-7378-443e-99a6-c3a69f19f9cc", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--1cf89a8b-c0f6-4ffb-ae39-36e2a9d3b081", "created": "2023-09-29T18:46:12.052Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:24.077Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--1d0daee9-621c-47c8-b9f3-3b9a6dc5ea13.json b/ics-attack/relationship/relationship--1d0daee9-621c-47c8-b9f3-3b9a6dc5ea13.json index 110f4c033a..1c73042192 100644 --- a/ics-attack/relationship/relationship--1d0daee9-621c-47c8-b9f3-3b9a6dc5ea13.json +++ b/ics-attack/relationship/relationship--1d0daee9-621c-47c8-b9f3-3b9a6dc5ea13.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bd6aaf22-2906-4f8b-9b43-8537c5f613cb", + "id": "bundle--a0f55e2b-7586-4056-b8bc-37421430cd4c", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--1d0daee9-621c-47c8-b9f3-3b9a6dc5ea13", "created": "2025-09-29T19:46:29.316Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--1d35c947-447f-4693-9ab0-32dff56e664e.json b/ics-attack/relationship/relationship--1d35c947-447f-4693-9ab0-32dff56e664e.json index 00df83f38a..d13a52276c 100644 --- a/ics-attack/relationship/relationship--1d35c947-447f-4693-9ab0-32dff56e664e.json +++ b/ics-attack/relationship/relationship--1d35c947-447f-4693-9ab0-32dff56e664e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f13a1c41-b84e-4531-937c-034e8a1b906b", + "id": "bundle--65a9d15e-34d8-401f-bb27-c0092864314a", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--1d35c947-447f-4693-9ab0-32dff56e664e", "created": "2021-04-13T12:45:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", diff --git a/ics-attack/relationship/relationship--1d637465-fa54-4962-aa2d-cb0d04dfec0a.json b/ics-attack/relationship/relationship--1d637465-fa54-4962-aa2d-cb0d04dfec0a.json index 45207ffc3f..da5041967d 100644 --- a/ics-attack/relationship/relationship--1d637465-fa54-4962-aa2d-cb0d04dfec0a.json +++ b/ics-attack/relationship/relationship--1d637465-fa54-4962-aa2d-cb0d04dfec0a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b763dfcd-05f2-45fc-a4fd-45e7a3004597", + "id": "bundle--ba9d9585-33c0-407e-938c-ce65e7de4414", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--33dd1c37-1702-4de2-9712-fcc640e4b681", "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", diff --git a/ics-attack/relationship/relationship--1d6fa472-a1fe-4657-a60d-c7f1c39b1653.json b/ics-attack/relationship/relationship--1d6fa472-a1fe-4657-a60d-c7f1c39b1653.json index ae9820b7e9..dd638aa9d0 100644 --- a/ics-attack/relationship/relationship--1d6fa472-a1fe-4657-a60d-c7f1c39b1653.json +++ b/ics-attack/relationship/relationship--1d6fa472-a1fe-4657-a60d-c7f1c39b1653.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--27ddf615-166a-476a-b13f-34c3b8ee398e", + "id": "bundle--efdb55c6-2ab7-4ebc-8fae-63ab3995d907", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--1d6fa472-a1fe-4657-a60d-c7f1c39b1653", "created": "2023-09-29T17:40:22.705Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:24.766Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--1dad5efc-395f-4b92-8f4f-3e987a4d5e57.json b/ics-attack/relationship/relationship--1dad5efc-395f-4b92-8f4f-3e987a4d5e57.json index 6e19cc628c..adbf749ef9 100644 --- a/ics-attack/relationship/relationship--1dad5efc-395f-4b92-8f4f-3e987a4d5e57.json +++ b/ics-attack/relationship/relationship--1dad5efc-395f-4b92-8f4f-3e987a4d5e57.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ee439b1c-ac24-4a3a-859f-3796733c15e0", + "id": "bundle--bf37faac-2c54-493d-9377-cef9d0a334eb", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--1dad5efc-395f-4b92-8f4f-3e987a4d5e57", "created": "2023-09-27T13:22:26.752Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", diff --git a/ics-attack/relationship/relationship--1dc35f79-0ada-4342-bd13-10d10c1b0335.json b/ics-attack/relationship/relationship--1dc35f79-0ada-4342-bd13-10d10c1b0335.json index 615d1785e7..76f1cb85f8 100644 --- a/ics-attack/relationship/relationship--1dc35f79-0ada-4342-bd13-10d10c1b0335.json +++ b/ics-attack/relationship/relationship--1dc35f79-0ada-4342-bd13-10d10c1b0335.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5d3ad7bb-d158-48fb-99ec-220fb09d2e4a", + "id": "bundle--1abb01da-a4b8-49fd-85d4-cbf5a2276775", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--1dc35f79-0ada-4342-bd13-10d10c1b0335", "created": "2021-04-13T12:28:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Ben Hunter and Fred Gutierrez July 2020", diff --git a/ics-attack/relationship/relationship--299b13fd-255a-416e-a845-5aa87745d693.json b/ics-attack/relationship/relationship--1dd94603-3686-4dd5-b0be-2cdc43b0c1fb.json similarity index 78% rename from ics-attack/relationship/relationship--299b13fd-255a-416e-a845-5aa87745d693.json rename to ics-attack/relationship/relationship--1dd94603-3686-4dd5-b0be-2cdc43b0c1fb.json index a873c10a48..c18c0a1779 100644 --- a/ics-attack/relationship/relationship--299b13fd-255a-416e-a845-5aa87745d693.json +++ b/ics-attack/relationship/relationship--1dd94603-3686-4dd5-b0be-2cdc43b0c1fb.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--adab32e0-0168-4e93-955b-683359745b1a", + "id": "bundle--46b2d343-6c58-45d4-8fec-6ddda6037c2a", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--299b13fd-255a-416e-a845-5aa87745d693", + "id": "relationship--1dd94603-3686-4dd5-b0be-2cdc43b0c1fb", "created": "2025-09-29T19:51:44.664Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -14,7 +14,7 @@ ], "modified": "2025-09-29T19:51:44.665Z", "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, diff --git a/ics-attack/relationship/relationship--1ddb73e6-b7a8-4f4d-bf8b-f9de3a5ef52a.json b/ics-attack/relationship/relationship--1ddb73e6-b7a8-4f4d-bf8b-f9de3a5ef52a.json new file mode 100644 index 0000000000..7fc6a6550c --- /dev/null +++ b/ics-attack/relationship/relationship--1ddb73e6-b7a8-4f4d-bf8b-f9de3a5ef52a.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--fd54bc3e-b01f-4b05-9772-1e2628d2bb54", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1ddb73e6-b7a8-4f4d-bf8b-f9de3a5ef52a", + "created": "2026-04-23T00:03:40.026Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T20:06:11.973Z", + "description": "Provide the ability to verify the integrity of programs downloaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used.(Citation: IEC February 2019)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1efbe3b3-4e8d-4f3f-b9f9-098c85840e33.json b/ics-attack/relationship/relationship--1efbe3b3-4e8d-4f3f-b9f9-098c85840e33.json new file mode 100644 index 0000000000..bd0e1e83ef --- /dev/null +++ b/ics-attack/relationship/relationship--1efbe3b3-4e8d-4f3f-b9f9-098c85840e33.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--27c88d3f-4945-4ac2-983e-50af0d1ff408", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1efbe3b3-4e8d-4f3f-b9f9-098c85840e33", + "created": "2026-04-22T16:39:31.542Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:39:31.542Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1f393d04-36db-4bae-a2a4-53ff12a1240e.json b/ics-attack/relationship/relationship--1f393d04-36db-4bae-a2a4-53ff12a1240e.json index 49424949ec..d67671da4d 100644 --- a/ics-attack/relationship/relationship--1f393d04-36db-4bae-a2a4-53ff12a1240e.json +++ b/ics-attack/relationship/relationship--1f393d04-36db-4bae-a2a4-53ff12a1240e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7d36e999-98ac-4033-893a-5fdf2e6cfbfe", + "id": "bundle--4899a7fe-de30-4fbc-a7e4-dbbf7579115f", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--1f393d04-36db-4bae-a2a4-53ff12a1240e", "created": "2023-09-28T21:12:25.345Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:25.760Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--1f87378c-49fb-4da5-8ed3-3672633d3713.json b/ics-attack/relationship/relationship--1f87378c-49fb-4da5-8ed3-3672633d3713.json index f48dba0148..cc7879227e 100644 --- a/ics-attack/relationship/relationship--1f87378c-49fb-4da5-8ed3-3672633d3713.json +++ b/ics-attack/relationship/relationship--1f87378c-49fb-4da5-8ed3-3672633d3713.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bf48bbc4-ea0a-4545-84c7-caae41c822a6", + "id": "bundle--9f46f936-db66-433a-8218-2d13df07a840", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1f886c01-1fff-452e-bb24-009c91be9b69.json b/ics-attack/relationship/relationship--1f886c01-1fff-452e-bb24-009c91be9b69.json new file mode 100644 index 0000000000..be3ffc227f --- /dev/null +++ b/ics-attack/relationship/relationship--1f886c01-1fff-452e-bb24-009c91be9b69.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--e46be11d-bcf9-4071-b000-67ae0dbb4638", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1f886c01-1fff-452e-bb24-009c91be9b69", + "created": "2026-04-20T20:54:18.047Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:18.047Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1f8abf6f-0dd0-4449-b555-733fe7296177.json b/ics-attack/relationship/relationship--1f8abf6f-0dd0-4449-b555-733fe7296177.json index ac4fd74c4a..bbede0a70e 100644 --- a/ics-attack/relationship/relationship--1f8abf6f-0dd0-4449-b555-733fe7296177.json +++ b/ics-attack/relationship/relationship--1f8abf6f-0dd0-4449-b555-733fe7296177.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b2ca269c-6242-4c37-9995-fa14b76313fe", + "id": "bundle--a364c401-9ae3-4cea-8257-93922d8c8ae7", "spec_version": "2.0", "objects": [ { @@ -19,14 +19,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:01:26.813Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System. (Citation: Jos Wetzels January 2018)", + "modified": "2026-04-23T18:40:49.819Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System.(Citation: Jos Wetzels January 2018)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1fc147bd-d6ab-4beb-908b-0fbe8e125b76.json b/ics-attack/relationship/relationship--1fc147bd-d6ab-4beb-908b-0fbe8e125b76.json index c3ad65b52f..bd5ccd7784 100644 --- a/ics-attack/relationship/relationship--1fc147bd-d6ab-4beb-908b-0fbe8e125b76.json +++ b/ics-attack/relationship/relationship--1fc147bd-d6ab-4beb-908b-0fbe8e125b76.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3688dfd5-18bd-4353-8a12-02e419994d16", + "id": "bundle--fb224719-34d3-4b3a-91ed-84bfb96d916c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437.json b/ics-attack/relationship/relationship--1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437.json index b13d968ea2..1ff145565a 100644 --- a/ics-attack/relationship/relationship--1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437.json +++ b/ics-attack/relationship/relationship--1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--621ce7a3-4e79-4623-84e9-8598b7e70b40", + "id": "bundle--bb910f33-1d3e-4163-a84c-f6c85b829d6c", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437", "created": "2021-04-12T18:49:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Tom Fakterman August 2019", diff --git a/ics-attack/relationship/relationship--1fd5badc-0e9f-462c-9738-550e7e8d8ae3.json b/ics-attack/relationship/relationship--1fd5badc-0e9f-462c-9738-550e7e8d8ae3.json index aea6918c72..66fc1bfdb7 100644 --- a/ics-attack/relationship/relationship--1fd5badc-0e9f-462c-9738-550e7e8d8ae3.json +++ b/ics-attack/relationship/relationship--1fd5badc-0e9f-462c-9738-550e7e8d8ae3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1c379b63-fdda-4c8d-8cd4-cf5b49c7958b", + "id": "bundle--33a4cdb0-d1a6-4af2-b62d-7d8990dd031f", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--1fd5badc-0e9f-462c-9738-550e7e8d8ae3", "created": "2023-09-28T19:54:37.802Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:27.677Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--20006064-4e2f-4106-a6b4-ee8b4c739c9b.json b/ics-attack/relationship/relationship--20006064-4e2f-4106-a6b4-ee8b4c739c9b.json index de3ca4200d..56abb1ab9d 100644 --- a/ics-attack/relationship/relationship--20006064-4e2f-4106-a6b4-ee8b4c739c9b.json +++ b/ics-attack/relationship/relationship--20006064-4e2f-4106-a6b4-ee8b4c739c9b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bbb92fa5-e9e4-482f-b31a-041c1bb60e59", + "id": "bundle--c3fe0d05-c78e-40dd-8bbe-ca24c07fd8b9", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--04bcf663-e6cd-42bf-8864-f4d1ad345263", "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", diff --git a/ics-attack/relationship/relationship--20031e48-2258-4901-ac21-bffd7191e931.json b/ics-attack/relationship/relationship--20031e48-2258-4901-ac21-bffd7191e931.json index cc0112864b..fb1e204c63 100644 --- a/ics-attack/relationship/relationship--20031e48-2258-4901-ac21-bffd7191e931.json +++ b/ics-attack/relationship/relationship--20031e48-2258-4901-ac21-bffd7191e931.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c111abd8-00bf-4be8-b015-47137cbfb450", + "id": "bundle--0381dcc4-b4e7-48dd-a344-9c1a44bf43c1", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--ae24274b-0e20-451e-a883-6eeb0e8e7d00", "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", diff --git a/ics-attack/relationship/relationship--2087b2b9-3b30-45be-abcd-4320bf0fa66b.json b/ics-attack/relationship/relationship--2087b2b9-3b30-45be-abcd-4320bf0fa66b.json index 13d346689e..7e1205f0e4 100644 --- a/ics-attack/relationship/relationship--2087b2b9-3b30-45be-abcd-4320bf0fa66b.json +++ b/ics-attack/relationship/relationship--2087b2b9-3b30-45be-abcd-4320bf0fa66b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--364db3d8-d813-4b24-9cef-c779b89f69d4", + "id": "bundle--a61f93c8-9b6c-45cb-885b-7142a6497a37", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--2087b2b9-3b30-45be-abcd-4320bf0fa66b", "created": "2023-03-30T19:26:19.782Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Industroyer2 Mandiant April 2022", diff --git a/ics-attack/relationship/relationship--2089201c-c1c6-4d92-a737-a6499e26ee7f.json b/ics-attack/relationship/relationship--2089201c-c1c6-4d92-a737-a6499e26ee7f.json index ce5a891ea3..3065c4ebb7 100644 --- a/ics-attack/relationship/relationship--2089201c-c1c6-4d92-a737-a6499e26ee7f.json +++ b/ics-attack/relationship/relationship--2089201c-c1c6-4d92-a737-a6499e26ee7f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--816a79b8-42d4-409c-b1f1-80bf808ba1ff", + "id": "bundle--830a01c8-286e-48b6-8d56-bc00df442abb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--208fe57b-cf2e-4188-8a6f-77597cd60351.json b/ics-attack/relationship/relationship--208fe57b-cf2e-4188-8a6f-77597cd60351.json index 13e9f61665..13d3acd692 100644 --- a/ics-attack/relationship/relationship--208fe57b-cf2e-4188-8a6f-77597cd60351.json +++ b/ics-attack/relationship/relationship--208fe57b-cf2e-4188-8a6f-77597cd60351.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7d2f85af-2b23-4b7b-b0bb-4739f159f271", + "id": "bundle--d8f63b01-f6e0-46d3-8899-675e3db7498d", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--208fe57b-cf2e-4188-8a6f-77597cd60351", "created": "2023-09-29T17:44:43.317Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:29.056Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--20913dc0-33cc-43f8-bd34-a2f9a4a5fbd3.json b/ics-attack/relationship/relationship--20913dc0-33cc-43f8-bd34-a2f9a4a5fbd3.json index 99642c7165..431cbf326e 100644 --- a/ics-attack/relationship/relationship--20913dc0-33cc-43f8-bd34-a2f9a4a5fbd3.json +++ b/ics-attack/relationship/relationship--20913dc0-33cc-43f8-bd34-a2f9a4a5fbd3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--23492604-35c5-4688-9a6e-2688d04b7bb8", + "id": "bundle--3c4ea821-3663-4df3-9b74-7c30cffca930", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--20913dc0-33cc-43f8-bd34-a2f9a4a5fbd3", "created": "2025-09-24T18:24:19.525Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--2091a0be-48ce-4d5c-963b-8ba2842b57e3.json b/ics-attack/relationship/relationship--2091a0be-48ce-4d5c-963b-8ba2842b57e3.json new file mode 100644 index 0000000000..7891e77980 --- /dev/null +++ b/ics-attack/relationship/relationship--2091a0be-48ce-4d5c-963b-8ba2842b57e3.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--0e48b4c4-b87d-49b6-92a2-7bfb0b14300d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--2091a0be-48ce-4d5c-963b-8ba2842b57e3", + "created": "2026-04-22T20:36:02.162Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:36:02.162Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84.json b/ics-attack/relationship/relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84.json index 2ac00a0799..672eed56b4 100644 --- a/ics-attack/relationship/relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84.json +++ b/ics-attack/relationship/relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3f108b30-756d-495c-9aa2-c8398d4a5eb3", + "id": "bundle--b18404d3-8ec6-4690-9622-bb130cb45756", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--20f66fab-7a08-4707-ac79-92dac5acd11d.json b/ics-attack/relationship/relationship--20f66fab-7a08-4707-ac79-92dac5acd11d.json index 7568b47d0f..fef333e902 100644 --- a/ics-attack/relationship/relationship--20f66fab-7a08-4707-ac79-92dac5acd11d.json +++ b/ics-attack/relationship/relationship--20f66fab-7a08-4707-ac79-92dac5acd11d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--06896bab-8ed8-408d-9691-37f26f35fb6e", + "id": "bundle--ed3004fc-cb4b-444c-b113-ec1b5c755324", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--20f66fab-7a08-4707-ac79-92dac5acd11d", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", diff --git a/ics-attack/relationship/relationship--21041206-da58-45c7-adb0-db07caebdcb6.json b/ics-attack/relationship/relationship--21041206-da58-45c7-adb0-db07caebdcb6.json index bf1e518f97..f780843bb8 100644 --- a/ics-attack/relationship/relationship--21041206-da58-45c7-adb0-db07caebdcb6.json +++ b/ics-attack/relationship/relationship--21041206-da58-45c7-adb0-db07caebdcb6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--de2080ad-09e9-4c0c-9073-0e9e67cafb4f", + "id": "bundle--6a66f75d-7062-4586-9281-319cee460786", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--21041206-da58-45c7-adb0-db07caebdcb6", "created": "2021-04-13T12:36:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", diff --git a/ics-attack/relationship/relationship--21058f32-3d6e-4381-9288-5c2248e84cce.json b/ics-attack/relationship/relationship--21058f32-3d6e-4381-9288-5c2248e84cce.json index 1677dab47c..cd0d3adfa7 100644 --- a/ics-attack/relationship/relationship--21058f32-3d6e-4381-9288-5c2248e84cce.json +++ b/ics-attack/relationship/relationship--21058f32-3d6e-4381-9288-5c2248e84cce.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ee110b09-96f8-4218-b1e6-0dc864e700a2", + "id": "bundle--aa70398f-e00c-4c02-ac51-ab94440ddf60", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--21058f32-3d6e-4381-9288-5c2248e84cce", "created": "2023-09-29T18:44:27.240Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:29.950Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--2138f4ee-5111-4469-92bb-1fc82a6822b4.json b/ics-attack/relationship/relationship--2138f4ee-5111-4469-92bb-1fc82a6822b4.json index c83699f18f..8259663753 100644 --- a/ics-attack/relationship/relationship--2138f4ee-5111-4469-92bb-1fc82a6822b4.json +++ b/ics-attack/relationship/relationship--2138f4ee-5111-4469-92bb-1fc82a6822b4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4b6e555f-0e1d-4450-94b0-b8c303b0457f", + "id": "bundle--0a83bc06-787f-4bc8-9d1d-c16bcd5027a0", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--2138f4ee-5111-4469-92bb-1fc82a6822b4", "created": "2023-09-28T19:44:53.873Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:30.435Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--21470001-67f2-47cf-af21-784e5024ac1d.json b/ics-attack/relationship/relationship--21470001-67f2-47cf-af21-784e5024ac1d.json index 235bac5e53..aec2b68091 100644 --- a/ics-attack/relationship/relationship--21470001-67f2-47cf-af21-784e5024ac1d.json +++ b/ics-attack/relationship/relationship--21470001-67f2-47cf-af21-784e5024ac1d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c7297e0d-97ce-4000-8936-3d3aba6b90e3", + "id": "bundle--91d0e876-913e-459b-a826-74ea9f7786ee", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--21470001-67f2-47cf-af21-784e5024ac1d", "created": "2023-09-29T18:01:22.023Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:30.632Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--2159458f-87fc-4479-81f4-a2521a378221.json b/ics-attack/relationship/relationship--2159458f-87fc-4479-81f4-a2521a378221.json index 789be4e68d..4b04201ed2 100644 --- a/ics-attack/relationship/relationship--2159458f-87fc-4479-81f4-a2521a378221.json +++ b/ics-attack/relationship/relationship--2159458f-87fc-4479-81f4-a2521a378221.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0af75d7e-bff9-4e88-a84f-e1781e1f2599", + "id": "bundle--51f677fe-83ab-4351-99d9-9f7a2a4fa8dc", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--2159458f-87fc-4479-81f4-a2521a378221", "created": "2023-09-28T21:22:09.790Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:31.056Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--21aa6331-3419-4049-b180-8349b71e1f2a.json b/ics-attack/relationship/relationship--21aa6331-3419-4049-b180-8349b71e1f2a.json index 509b8e1f3c..b12c9fe73b 100644 --- a/ics-attack/relationship/relationship--21aa6331-3419-4049-b180-8349b71e1f2a.json +++ b/ics-attack/relationship/relationship--21aa6331-3419-4049-b180-8349b71e1f2a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a93ea197-f379-4bce-800a-e086354c800d", + "id": "bundle--dea2472e-86a6-4870-8b18-895e362dc9f5", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--21aa6331-3419-4049-b180-8349b71e1f2a", "created": "2023-09-28T21:11:03.947Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:31.273Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--21b6ec9c-8779-49db-bf19-90e81893a6e4.json b/ics-attack/relationship/relationship--21b6ec9c-8779-49db-bf19-90e81893a6e4.json index b30b34b4f4..6411dbd029 100644 --- a/ics-attack/relationship/relationship--21b6ec9c-8779-49db-bf19-90e81893a6e4.json +++ b/ics-attack/relationship/relationship--21b6ec9c-8779-49db-bf19-90e81893a6e4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dc9f6c1a-0e9e-4035-b851-b5de81d9a7eb", + "id": "bundle--f88c9680-2c68-4a88-96b2-f50de475ab40", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--21c7b1bb-ba40-4843-b462-079b1b85c01b.json b/ics-attack/relationship/relationship--21c7b1bb-ba40-4843-b462-079b1b85c01b.json new file mode 100644 index 0000000000..6af1fee7ab --- /dev/null +++ b/ics-attack/relationship/relationship--21c7b1bb-ba40-4843-b462-079b1b85c01b.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--50b65c31-8f67-40ff-bf3f-6eaca476cbc7", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--21c7b1bb-ba40-4843-b462-079b1b85c01b", + "created": "2026-04-22T16:08:04.299Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:08:41.550Z", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems.(Citation: Department of Homeland Security September 2016)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--21e0e769-cc74-4e3b-8f88-072ebf8eaaf2.json b/ics-attack/relationship/relationship--21e0e769-cc74-4e3b-8f88-072ebf8eaaf2.json index 6f5e86f7b6..59f39d899b 100644 --- a/ics-attack/relationship/relationship--21e0e769-cc74-4e3b-8f88-072ebf8eaaf2.json +++ b/ics-attack/relationship/relationship--21e0e769-cc74-4e3b-8f88-072ebf8eaaf2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7b0fc0b8-0770-42ef-be07-df9d2e206fc2", + "id": "bundle--7b48a62e-5509-4a96-8c1f-af0c0de8b0e7", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--21e0e769-cc74-4e3b-8f88-072ebf8eaaf2", "created": "2025-09-29T19:24:56.529Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--220140ac-d927-4d86-9335-c04aa6ee3c61.json b/ics-attack/relationship/relationship--220140ac-d927-4d86-9335-c04aa6ee3c61.json index 2ad021a5b4..c48e52aa24 100644 --- a/ics-attack/relationship/relationship--220140ac-d927-4d86-9335-c04aa6ee3c61.json +++ b/ics-attack/relationship/relationship--220140ac-d927-4d86-9335-c04aa6ee3c61.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b88fd2b1-7641-4fe7-88f1-64f2e7c039ed", + "id": "bundle--4d6a132e-cf2a-4a75-900b-7b272722fb8e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--22401c3f-f64f-4ee6-94ee-24fe108b595a.json b/ics-attack/relationship/relationship--22401c3f-f64f-4ee6-94ee-24fe108b595a.json index 514febcf74..382ad6aabc 100644 --- a/ics-attack/relationship/relationship--22401c3f-f64f-4ee6-94ee-24fe108b595a.json +++ b/ics-attack/relationship/relationship--22401c3f-f64f-4ee6-94ee-24fe108b595a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3cdab5fd-fe02-4eeb-8bd3-a64d5d6ca30b", + "id": "bundle--c358f6b0-3180-4622-b291-ff693c82a40a", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--3e884c49-75ca-449e-83cb-3517ee88e0f1", "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", diff --git a/ics-attack/relationship/relationship--22448288-32d9-4d2c-be16-0784e119fff1.json b/ics-attack/relationship/relationship--22448288-32d9-4d2c-be16-0784e119fff1.json index e2704e0118..1333412e4e 100644 --- a/ics-attack/relationship/relationship--22448288-32d9-4d2c-be16-0784e119fff1.json +++ b/ics-attack/relationship/relationship--22448288-32d9-4d2c-be16-0784e119fff1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4ec774da-3bdc-4256-a765-72e009c9cbb6", + "id": "bundle--d4a6f811-e84d-4209-94fb-7e8287755318", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--22448288-32d9-4d2c-be16-0784e119fff1", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--22548926-29b4-4882-9878-633375489c0e.json b/ics-attack/relationship/relationship--22548926-29b4-4882-9878-633375489c0e.json index 45ed92248f..2467f0e848 100644 --- a/ics-attack/relationship/relationship--22548926-29b4-4882-9878-633375489c0e.json +++ b/ics-attack/relationship/relationship--22548926-29b4-4882-9878-633375489c0e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5a0c4597-c64f-4754-afe3-b48efcd37758", + "id": "bundle--dcfe6289-52ff-4185-a77e-e68d22e3ef6b", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--22548926-29b4-4882-9878-633375489c0e", "created": "2023-09-28T20:30:50.842Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:32.138Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--2287eabb-5349-4d3e-938a-7d6023d7e02c.json b/ics-attack/relationship/relationship--2287eabb-5349-4d3e-938a-7d6023d7e02c.json index 4a83730f73..fd0c4d7ff6 100644 --- a/ics-attack/relationship/relationship--2287eabb-5349-4d3e-938a-7d6023d7e02c.json +++ b/ics-attack/relationship/relationship--2287eabb-5349-4d3e-938a-7d6023d7e02c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--72e93303-105e-41fd-a95b-8cce4a7481cb", + "id": "bundle--05d2b356-8410-4d41-8a9a-7390e7fade2e", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--2287eabb-5349-4d3e-938a-7d6023d7e02c", "created": "2025-09-29T22:04:12.484Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--2289f005-7863-4af5-b681-cdfc03d3f111.json b/ics-attack/relationship/relationship--2289f005-7863-4af5-b681-cdfc03d3f111.json index 5cc94c5ee8..833983b4ac 100644 --- a/ics-attack/relationship/relationship--2289f005-7863-4af5-b681-cdfc03d3f111.json +++ b/ics-attack/relationship/relationship--2289f005-7863-4af5-b681-cdfc03d3f111.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0d14dd9c-d7d8-4d5b-ba8d-3faf8a074164", + "id": "bundle--1c9c7f5a-4fed-4cf5-8d72-8b14f15a9795", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--2289f005-7863-4af5-b681-cdfc03d3f111", "created": "2023-09-29T18:56:08.414Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:32.376Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", diff --git a/ics-attack/relationship/relationship--228b9a13-0545-4ecf-99ff-be02addaf7fe.json b/ics-attack/relationship/relationship--228b9a13-0545-4ecf-99ff-be02addaf7fe.json index 7164b9ae9c..e227b41afb 100644 --- a/ics-attack/relationship/relationship--228b9a13-0545-4ecf-99ff-be02addaf7fe.json +++ b/ics-attack/relationship/relationship--228b9a13-0545-4ecf-99ff-be02addaf7fe.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b2f5cf93-bc5e-4527-bdfd-29238863f0da", + "id": "bundle--482657c6-775c-434e-a644-3b3bc11c0d6a", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--228b9a13-0545-4ecf-99ff-be02addaf7fe", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "ESET", diff --git a/ics-attack/relationship/relationship--22ae18ec-d856-483c-a2ab-9db0739b0475.json b/ics-attack/relationship/relationship--22ae18ec-d856-483c-a2ab-9db0739b0475.json new file mode 100644 index 0000000000..e125af85ea --- /dev/null +++ b/ics-attack/relationship/relationship--22ae18ec-d856-483c-a2ab-9db0739b0475.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--6e7ba602-6b39-4da6-baa2-54003f47733e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--22ae18ec-d856-483c-a2ab-9db0739b0475", + "created": "2026-04-20T20:54:19.543Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:19.543Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--6b335943-c3af-430e-a135-ab09623bdc20", + "target_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--232c7049-7609-46a9-8bbe-38672713f853.json b/ics-attack/relationship/relationship--232c7049-7609-46a9-8bbe-38672713f853.json index 5f35faf266..9f7fdf86dd 100644 --- a/ics-attack/relationship/relationship--232c7049-7609-46a9-8bbe-38672713f853.json +++ b/ics-attack/relationship/relationship--232c7049-7609-46a9-8bbe-38672713f853.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f9db8a84-0acb-4841-b81a-658e6b65d53a", + "id": "bundle--fe172307-5fb6-460a-931d-b52e948d58be", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--232c7049-7609-46a9-8bbe-38672713f853", "created": "2023-09-28T21:15:32.371Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:33.029Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--2346cbf5-b3c8-4110-a66c-6194251d4d49.json b/ics-attack/relationship/relationship--2346cbf5-b3c8-4110-a66c-6194251d4d49.json index 405894ca72..6fbb3931c2 100644 --- a/ics-attack/relationship/relationship--2346cbf5-b3c8-4110-a66c-6194251d4d49.json +++ b/ics-attack/relationship/relationship--2346cbf5-b3c8-4110-a66c-6194251d4d49.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--31225b03-a9e2-47a2-aa9a-351efeb3d738", + "id": "bundle--3a412141-fd36-4372-81ae-26ec8a8bbef7", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--2346cbf5-b3c8-4110-a66c-6194251d4d49", "created": "2023-09-29T16:43:53.940Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:33.285Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--23564002-f836-4da6-a083-e086a606f0eb.json b/ics-attack/relationship/relationship--23564002-f836-4da6-a083-e086a606f0eb.json index f0b70e972c..d39f402b9f 100644 --- a/ics-attack/relationship/relationship--23564002-f836-4da6-a083-e086a606f0eb.json +++ b/ics-attack/relationship/relationship--23564002-f836-4da6-a083-e086a606f0eb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--18e79071-cbda-4a6e-aef8-6fa43e633d3a", + "id": "bundle--b6c24197-d8dc-4372-a60b-2a6232a38abb", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--08c090e3-c56f-4a8b-80f6-307a1daf46ea", "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", diff --git a/ics-attack/relationship/relationship--2361ff8c-68a1-4899-a046-ba1b083272de.json b/ics-attack/relationship/relationship--2361ff8c-68a1-4899-a046-ba1b083272de.json new file mode 100644 index 0000000000..6726e4cc0a --- /dev/null +++ b/ics-attack/relationship/relationship--2361ff8c-68a1-4899-a046-ba1b083272de.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--15e993c2-e102-463d-9a70-53d26b0005b1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--2361ff8c-68a1-4899-a046-ba1b083272de", + "created": "2026-04-20T20:54:23.490Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:23.490Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--23851bda-49de-4f35-979f-c4e6b5742389.json b/ics-attack/relationship/relationship--23851bda-49de-4f35-979f-c4e6b5742389.json index 69e4387f2a..f422115dee 100644 --- a/ics-attack/relationship/relationship--23851bda-49de-4f35-979f-c4e6b5742389.json +++ b/ics-attack/relationship/relationship--23851bda-49de-4f35-979f-c4e6b5742389.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--03b5fedf-cbd4-4ca3-8487-f7fb929bdbef", + "id": "bundle--d488f577-3038-4278-902d-9eee281474e5", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--23851bda-49de-4f35-979f-c4e6b5742389", "created": "2024-04-09T20:59:53.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:33.748Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--238f967a-0c29-4aa3-bbb5-3dc593473bbf.json b/ics-attack/relationship/relationship--238f967a-0c29-4aa3-bbb5-3dc593473bbf.json index 550fd03d08..5269808582 100644 --- a/ics-attack/relationship/relationship--238f967a-0c29-4aa3-bbb5-3dc593473bbf.json +++ b/ics-attack/relationship/relationship--238f967a-0c29-4aa3-bbb5-3dc593473bbf.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b06df6e6-c91e-4113-817f-4f0d986e47a4", + "id": "bundle--8cc7d66c-1321-4833-b7e2-f9afc2533980", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--238f967a-0c29-4aa3-bbb5-3dc593473bbf", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Microsoft Security Response Center August 2017", diff --git a/ics-attack/relationship/relationship--3ed98d8c-de30-499e-9a62-eae0207519f4.json b/ics-attack/relationship/relationship--23f33619-c64e-4999-85c1-b5c88e570e46.json similarity index 75% rename from ics-attack/relationship/relationship--3ed98d8c-de30-499e-9a62-eae0207519f4.json rename to ics-attack/relationship/relationship--23f33619-c64e-4999-85c1-b5c88e570e46.json index 7dd3789142..125761e647 100644 --- a/ics-attack/relationship/relationship--3ed98d8c-de30-499e-9a62-eae0207519f4.json +++ b/ics-attack/relationship/relationship--23f33619-c64e-4999-85c1-b5c88e570e46.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--3f0b9a16-b7f1-488b-9d30-bbd54dee2f6c", + "id": "bundle--5a3a40e0-1057-4cf2-9039-752e5aebd36c", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--3ed98d8c-de30-499e-9a62-eae0207519f4", + "id": "relationship--23f33619-c64e-4999-85c1-b5c88e570e46", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "Ensure embedded controls and network devices are protected through access management, as these devices often have unknown default accounts which could be used to gain unauthorized access.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--242b5a0d-e4e8-4ceb-a975-cf8efd64e981.json b/ics-attack/relationship/relationship--242b5a0d-e4e8-4ceb-a975-cf8efd64e981.json index 7d8a5b42c1..b0bc58e1d0 100644 --- a/ics-attack/relationship/relationship--242b5a0d-e4e8-4ceb-a975-cf8efd64e981.json +++ b/ics-attack/relationship/relationship--242b5a0d-e4e8-4ceb-a975-cf8efd64e981.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--47999e47-38a8-4369-bd27-452de5169b02", + "id": "bundle--23f0d12f-9180-4847-a72f-076a0da0dda7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--243ad7b2-546c-4bf2-a3c0-1438b13e197d.json b/ics-attack/relationship/relationship--243ad7b2-546c-4bf2-a3c0-1438b13e197d.json index 9040ddffb5..5639d7b9d4 100644 --- a/ics-attack/relationship/relationship--243ad7b2-546c-4bf2-a3c0-1438b13e197d.json +++ b/ics-attack/relationship/relationship--243ad7b2-546c-4bf2-a3c0-1438b13e197d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--600fcb3b-2187-4039-8dad-3a2c68800a0c", + "id": "bundle--90e16aee-48f3-4692-8a83-9a2f8381dffb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--874752f4-59a2-46e9-ae28-befe0142b223.json b/ics-attack/relationship/relationship--2445124d-1fc9-49ad-8715-96053f39d717.json similarity index 84% rename from ics-attack/relationship/relationship--874752f4-59a2-46e9-ae28-befe0142b223.json rename to ics-attack/relationship/relationship--2445124d-1fc9-49ad-8715-96053f39d717.json index b982b59f6c..d6cf03f85d 100644 --- a/ics-attack/relationship/relationship--874752f4-59a2-46e9-ae28-befe0142b223.json +++ b/ics-attack/relationship/relationship--2445124d-1fc9-49ad-8715-96053f39d717.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--3a70ebf4-1029-44ea-b560-9a4d1bc6b758", + "id": "bundle--1687e7e1-50e1-482c-9d73-7d702583b128", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--874752f4-59a2-46e9-ae28-befe0142b223", + "id": "relationship--2445124d-1fc9-49ad-8715-96053f39d717", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -23,10 +23,10 @@ "description": "[Stuxnet](https://attack.mitre.org/software/S0603) uses a hardcoded password in the WinCC software's database server as one of the mechanisms used to propagate to nearby systems. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "target_ref": "attack-pattern--6b335943-c3af-430e-a135-ab09623bdc20", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2452cc82-6ee0-4a98-a213-d5e3f3247e07.json b/ics-attack/relationship/relationship--2452cc82-6ee0-4a98-a213-d5e3f3247e07.json index 1f63c5cbe3..7e49e3ff22 100644 --- a/ics-attack/relationship/relationship--2452cc82-6ee0-4a98-a213-d5e3f3247e07.json +++ b/ics-attack/relationship/relationship--2452cc82-6ee0-4a98-a213-d5e3f3247e07.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e5910813-4819-4d08-88e0-91337a6c1bf7", + "id": "bundle--6bd624ee-4078-4f2b-b990-326b208c0f8a", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--2452cc82-6ee0-4a98-a213-d5e3f3247e07", "created": "2023-09-28T20:25:47.357Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:34.622Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--245c8c36-28e5-4508-a585-7768cb33299a.json b/ics-attack/relationship/relationship--245c8c36-28e5-4508-a585-7768cb33299a.json index dd2ba94534..b019f8adef 100644 --- a/ics-attack/relationship/relationship--245c8c36-28e5-4508-a585-7768cb33299a.json +++ b/ics-attack/relationship/relationship--245c8c36-28e5-4508-a585-7768cb33299a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d1daa39d-7f08-43fd-9265-e37979084dd9", + "id": "bundle--f3a700bd-f7da-43ff-8d46-65f7e753308a", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--245c8c36-28e5-4508-a585-7768cb33299a", "created": "2023-03-10T20:06:10.209Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Marshall Abrams July 2008", diff --git a/ics-attack/relationship/relationship--246ba662-bd89-4295-b603-582ebad285da.json b/ics-attack/relationship/relationship--246ba662-bd89-4295-b603-582ebad285da.json new file mode 100644 index 0000000000..84e8e4aef1 --- /dev/null +++ b/ics-attack/relationship/relationship--246ba662-bd89-4295-b603-582ebad285da.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--30488b57-f7a7-4704-a823-b389fc3f8e08", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--246ba662-bd89-4295-b603-582ebad285da", + "created": "2026-04-23T00:27:24.380Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:34:11.928Z", + "description": "Filter for protocols and payloads associated with program download activity to prevent unauthorized device configurations.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--24793eaf-f0d8-4baf-ba3d-900b87cf464d.json b/ics-attack/relationship/relationship--24793eaf-f0d8-4baf-ba3d-900b87cf464d.json index 360354115f..5d0ec5cb7b 100644 --- a/ics-attack/relationship/relationship--24793eaf-f0d8-4baf-ba3d-900b87cf464d.json +++ b/ics-attack/relationship/relationship--24793eaf-f0d8-4baf-ba3d-900b87cf464d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--510e9275-01fb-4b6d-af78-c0d6faa354c3", + "id": "bundle--bc7f63c2-68b2-47d3-a388-a1041d2cbc0f", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--24793eaf-f0d8-4baf-ba3d-900b87cf464d", "created": "2024-04-09T21:00:24.049Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:35.080Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--24d17e8f-0c0f-41d1-aa83-8b69b8d30be5.json b/ics-attack/relationship/relationship--24d17e8f-0c0f-41d1-aa83-8b69b8d30be5.json index 637db66f6c..c140795df3 100644 --- a/ics-attack/relationship/relationship--24d17e8f-0c0f-41d1-aa83-8b69b8d30be5.json +++ b/ics-attack/relationship/relationship--24d17e8f-0c0f-41d1-aa83-8b69b8d30be5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d85ebe4a-5a91-4c9d-9c5a-d61b4fa36d13", + "id": "bundle--057dfcb0-14dc-4205-8f66-f491f18be4eb", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--24d17e8f-0c0f-41d1-aa83-8b69b8d30be5", "created": "2023-09-29T17:07:55.738Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:35.532Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", diff --git a/ics-attack/relationship/relationship--24e1f6cf-44c3-4a3f-9839-5cd6398cc0fe.json b/ics-attack/relationship/relationship--24e1f6cf-44c3-4a3f-9839-5cd6398cc0fe.json index db5711babd..dbca982082 100644 --- a/ics-attack/relationship/relationship--24e1f6cf-44c3-4a3f-9839-5cd6398cc0fe.json +++ b/ics-attack/relationship/relationship--24e1f6cf-44c3-4a3f-9839-5cd6398cc0fe.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eddaab45-4a6c-4973-aff8-346af7f540c1", + "id": "bundle--95a50f42-a22b-4f11-aa21-c008b946d13c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--24e1f6cf-44c3-4a3f-9839-5cd6398cc0fe", "created": "2023-09-28T20:10:06.838Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:35.763Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--250212f0-a149-4a14-af83-94f7fcedc021.json b/ics-attack/relationship/relationship--250212f0-a149-4a14-af83-94f7fcedc021.json index 386d7ca7b6..4a76017c9a 100644 --- a/ics-attack/relationship/relationship--250212f0-a149-4a14-af83-94f7fcedc021.json +++ b/ics-attack/relationship/relationship--250212f0-a149-4a14-af83-94f7fcedc021.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--79526424-d94f-487b-bf7c-761efbd030bb", + "id": "bundle--1271582a-9f44-4e4c-85c7-e5d78568ca81", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--250212f0-a149-4a14-af83-94f7fcedc021", "created": "2023-09-28T20:26:29.934Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:35.960Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--25095116-7b71-4a6d-8a98-b60adff61372.json b/ics-attack/relationship/relationship--25095116-7b71-4a6d-8a98-b60adff61372.json new file mode 100644 index 0000000000..cb4adfd2ba --- /dev/null +++ b/ics-attack/relationship/relationship--25095116-7b71-4a6d-8a98-b60adff61372.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--911cf403-872a-4f96-9c00-8203bc147911", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--25095116-7b71-4a6d-8a98-b60adff61372", + "created": "2026-04-22T22:57:07.320Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:57:07.320Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--527668a3-cc0c-48c2-856a-a45615817366", + "target_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--25281488-be20-4d83-89d1-1da7ea836037.json b/ics-attack/relationship/relationship--25281488-be20-4d83-89d1-1da7ea836037.json index 937a86a1ad..64e74afc85 100644 --- a/ics-attack/relationship/relationship--25281488-be20-4d83-89d1-1da7ea836037.json +++ b/ics-attack/relationship/relationship--25281488-be20-4d83-89d1-1da7ea836037.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9e21bfc3-026e-492a-91d0-f2936db0e464", + "id": "bundle--f17088c6-d813-4ebf-9724-d0d0ac2cf2e5", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--25281488-be20-4d83-89d1-1da7ea836037", "created": "2023-09-29T17:40:47.898Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:36.185Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--25ddb2e0-b945-45d2-a8a9-6e6d5c4401d3.json b/ics-attack/relationship/relationship--25ddb2e0-b945-45d2-a8a9-6e6d5c4401d3.json index ce2c1f8db7..045f3892bd 100644 --- a/ics-attack/relationship/relationship--25ddb2e0-b945-45d2-a8a9-6e6d5c4401d3.json +++ b/ics-attack/relationship/relationship--25ddb2e0-b945-45d2-a8a9-6e6d5c4401d3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f6c31f2a-468b-4949-bdce-c569bac555cc", + "id": "bundle--62758f66-7860-4af2-a5ef-0aef8d5ecdf8", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--25ddb2e0-b945-45d2-a8a9-6e6d5c4401d3", "created": "2023-03-30T18:57:21.754Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Kevin Savage and Branko Spasojevic", diff --git a/ics-attack/relationship/relationship--25e7ca82-2784-433a-90a9-a3483615a655.json b/ics-attack/relationship/relationship--25e7ca82-2784-433a-90a9-a3483615a655.json index 71639d2ea5..07b3dc2741 100644 --- a/ics-attack/relationship/relationship--25e7ca82-2784-433a-90a9-a3483615a655.json +++ b/ics-attack/relationship/relationship--25e7ca82-2784-433a-90a9-a3483615a655.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d2f03529-14ee-4918-8921-684b95bd2529", + "id": "bundle--42ba7e84-e6ab-44d8-920b-43eae91be9bc", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--25e7ca82-2784-433a-90a9-a3483615a655", "created": "2019-04-12T17:01:01.255Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "FireEye WannaCry 2017", @@ -23,7 +22,7 @@ { "source_name": "FireEye APT38 Oct 2018", "description": "FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024.", - "url": "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf" + "url": "https://services.google.com/fh/files/misc/apt38-un-usual-suspects.pdf" }, { "source_name": "LogRhythm WannaCry", @@ -34,14 +33,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T22:03:05.097Z", + "modified": "2025-11-13T19:21:05.136Z", "description": "(Citation: FireEye APT38 Oct 2018)(Citation: LogRhythm WannaCry)(Citation: FireEye WannaCry 2017)(Citation: SecureWorks WannaCry Analysis)", "relationship_type": "uses", "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--268b9429-b1c6-4bc3-84cf-8512e8ef57a7.json b/ics-attack/relationship/relationship--268b9429-b1c6-4bc3-84cf-8512e8ef57a7.json index ef6ce25d40..311928d749 100644 --- a/ics-attack/relationship/relationship--268b9429-b1c6-4bc3-84cf-8512e8ef57a7.json +++ b/ics-attack/relationship/relationship--268b9429-b1c6-4bc3-84cf-8512e8ef57a7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bf752225-49aa-4e9f-a1d0-898c05357d78", + "id": "bundle--c4443406-f250-46b9-b599-0612f9c1043e", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--268b9429-b1c6-4bc3-84cf-8512e8ef57a7", "created": "2023-03-10T20:34:25.450Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Marshall Abrams July 2008", diff --git a/ics-attack/relationship/relationship--26bb65a5-a5c4-4a6a-9bdb-982abf425b49.json b/ics-attack/relationship/relationship--26bb65a5-a5c4-4a6a-9bdb-982abf425b49.json index 56dd69faa1..e6896fb3b7 100644 --- a/ics-attack/relationship/relationship--26bb65a5-a5c4-4a6a-9bdb-982abf425b49.json +++ b/ics-attack/relationship/relationship--26bb65a5-a5c4-4a6a-9bdb-982abf425b49.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f1941a47-7018-46eb-80ad-c081f6321124", + "id": "bundle--c12cca60-fed6-4eb7-a94c-aa092e862f6c", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--47c6f72c-1f2f-4ea8-94d0-08202b7d5bdb", "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", diff --git a/ics-attack/relationship/relationship--26d68f5d-6ee5-4d98-b175-943366ccc038.json b/ics-attack/relationship/relationship--26d68f5d-6ee5-4d98-b175-943366ccc038.json index b66bbb20de..67e50e6410 100644 --- a/ics-attack/relationship/relationship--26d68f5d-6ee5-4d98-b175-943366ccc038.json +++ b/ics-attack/relationship/relationship--26d68f5d-6ee5-4d98-b175-943366ccc038.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4574529c-9a06-425a-8f7a-3e49eb713120", + "id": "bundle--4c1a5432-851d-4b66-a8b6-0075ca9909f2", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--26d68f5d-6ee5-4d98-b175-943366ccc038", "created": "2020-10-14T21:33:27.046Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos October 2018", diff --git a/ics-attack/relationship/relationship--26fdd07e-d194-4f8e-a9af-d5b2f1d0222e.json b/ics-attack/relationship/relationship--26fdd07e-d194-4f8e-a9af-d5b2f1d0222e.json index 137a7a4947..3b116a3edb 100644 --- a/ics-attack/relationship/relationship--26fdd07e-d194-4f8e-a9af-d5b2f1d0222e.json +++ b/ics-attack/relationship/relationship--26fdd07e-d194-4f8e-a9af-d5b2f1d0222e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eba99f79-4d71-44ae-b42a-75efc813cf80", + "id": "bundle--3fcf8ff7-2300-414f-a0a1-651b40b84701", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--274994e7-1fe9-463a-9979-46c72107bf9b.json b/ics-attack/relationship/relationship--274994e7-1fe9-463a-9979-46c72107bf9b.json index 94a97a001c..3a48ab3ead 100644 --- a/ics-attack/relationship/relationship--274994e7-1fe9-463a-9979-46c72107bf9b.json +++ b/ics-attack/relationship/relationship--274994e7-1fe9-463a-9979-46c72107bf9b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f30049c2-53f0-4e24-acad-60a997a950e2", + "id": "bundle--69bfda1f-e9b7-4f5d-a7de-a1899c9e5728", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--274994e7-1fe9-463a-9979-46c72107bf9b", "created": "2023-03-30T18:56:47.685Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "ESET", diff --git a/ics-attack/relationship/relationship--276aa6a6-e700-470a-8f72-02537ba7be9d.json b/ics-attack/relationship/relationship--276aa6a6-e700-470a-8f72-02537ba7be9d.json index 98b06e6920..1363541525 100644 --- a/ics-attack/relationship/relationship--276aa6a6-e700-470a-8f72-02537ba7be9d.json +++ b/ics-attack/relationship/relationship--276aa6a6-e700-470a-8f72-02537ba7be9d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6928c120-bebb-4395-892c-c049a61414c7", + "id": "bundle--41e930da-c19c-475c-924d-08143870bd84", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d84d4745-77d0-46e4-a876-82a15c745a88.json b/ics-attack/relationship/relationship--278cf882-835f-4e65-a8fc-bb8956dcbea0.json similarity index 78% rename from ics-attack/relationship/relationship--d84d4745-77d0-46e4-a876-82a15c745a88.json rename to ics-attack/relationship/relationship--278cf882-835f-4e65-a8fc-bb8956dcbea0.json index de9ca7040c..818c3bd6ca 100644 --- a/ics-attack/relationship/relationship--d84d4745-77d0-46e4-a876-82a15c745a88.json +++ b/ics-attack/relationship/relationship--278cf882-835f-4e65-a8fc-bb8956dcbea0.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--bbd4bb81-25a0-4569-9b85-62bca6c47ecf", + "id": "bundle--c158c34d-c829-42fb-8a26-fb1c671e61cd", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--d84d4745-77d0-46e4-a876-82a15c745a88", + "id": "relationship--278cf882-835f-4e65-a8fc-bb8956dcbea0", "created": "2025-09-29T19:47:53.277Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -14,7 +14,7 @@ ], "modified": "2025-09-29T19:47:53.277Z", "relationship_type": "targets", - "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "source_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, diff --git a/ics-attack/relationship/relationship--27cac33f-cb57-45ff-8312-5ebac2e22396.json b/ics-attack/relationship/relationship--27cac33f-cb57-45ff-8312-5ebac2e22396.json new file mode 100644 index 0000000000..d7f0b1c9a3 --- /dev/null +++ b/ics-attack/relationship/relationship--27cac33f-cb57-45ff-8312-5ebac2e22396.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--4405c6fc-3c85-4724-8efa-34e747e2d823", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--27cac33f-cb57-45ff-8312-5ebac2e22396", + "created": "2026-04-22T17:50:24.743Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T17:50:24.743Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--354ca909-b54d-4c41-b597-9c296b344a43", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--956bbc7f-82c2-4097-8b7b-1e9d732c532d.json b/ics-attack/relationship/relationship--27f87692-30c1-4693-b209-fdc78382badd.json similarity index 71% rename from ics-attack/relationship/relationship--956bbc7f-82c2-4097-8b7b-1e9d732c532d.json rename to ics-attack/relationship/relationship--27f87692-30c1-4693-b209-fdc78382badd.json index ddad062796..e0343de1e0 100644 --- a/ics-attack/relationship/relationship--956bbc7f-82c2-4097-8b7b-1e9d732c532d.json +++ b/ics-attack/relationship/relationship--27f87692-30c1-4693-b209-fdc78382badd.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--094419aa-f6c3-474c-adfd-5e6d5502ee35", + "id": "bundle--1cb2c6cf-67d1-4294-a730-e37b8ac6ea5d", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--956bbc7f-82c2-4097-8b7b-1e9d732c532d", + "id": "relationship--27f87692-30c1-4693-b209-fdc78382badd", "created": "2023-09-28T20:17:07.288Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:42.230Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--282731bc-968f-432a-937a-0343f3a8ba35.json b/ics-attack/relationship/relationship--282731bc-968f-432a-937a-0343f3a8ba35.json new file mode 100644 index 0000000000..69639576c7 --- /dev/null +++ b/ics-attack/relationship/relationship--282731bc-968f-432a-937a-0343f3a8ba35.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--f0fa53b2-c09e-4f86-9d09-99ed8392b0e6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--282731bc-968f-432a-937a-0343f3a8ba35", + "created": "2026-04-22T22:32:58.268Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:32:58.268Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2867f491-919b-463f-b689-bb3ceb7ae99f.json b/ics-attack/relationship/relationship--2867f491-919b-463f-b689-bb3ceb7ae99f.json index 3dc632a2da..3f8b1b9179 100644 --- a/ics-attack/relationship/relationship--2867f491-919b-463f-b689-bb3ceb7ae99f.json +++ b/ics-attack/relationship/relationship--2867f491-919b-463f-b689-bb3ceb7ae99f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--157acf8e-6f2a-4e58-ba53-8e2059a81e25", + "id": "bundle--7835909c-59b9-4ca5-9e91-b3b496a9301c", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--2867f491-919b-463f-b689-bb3ceb7ae99f", "created": "2022-09-28T20:31:07.486Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos-Pipedream", diff --git a/ics-attack/relationship/relationship--287b247f-8ec3-4d8d-a521-050ac8c791ad.json b/ics-attack/relationship/relationship--287b247f-8ec3-4d8d-a521-050ac8c791ad.json index 5752e55f2b..ee1be4ccc4 100644 --- a/ics-attack/relationship/relationship--287b247f-8ec3-4d8d-a521-050ac8c791ad.json +++ b/ics-attack/relationship/relationship--287b247f-8ec3-4d8d-a521-050ac8c791ad.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--89a1383f-d287-4de9-a328-39720634c82b", + "id": "bundle--c1fc2833-f689-466a-b9c7-284a0f35255d", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--287b247f-8ec3-4d8d-a521-050ac8c791ad", "created": "2023-09-29T18:05:32.443Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:38.580Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--28afd84d-a53e-4b2f-9bee-133f7da6982a.json b/ics-attack/relationship/relationship--28afd84d-a53e-4b2f-9bee-133f7da6982a.json index b06664bcd0..9e047f6990 100644 --- a/ics-attack/relationship/relationship--28afd84d-a53e-4b2f-9bee-133f7da6982a.json +++ b/ics-attack/relationship/relationship--28afd84d-a53e-4b2f-9bee-133f7da6982a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--953ba304-e399-4428-bb8b-a9a077e11a6b", + "id": "bundle--a9ef7a30-c740-4da0-879b-6ded5c528213", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--28afd84d-a53e-4b2f-9bee-133f7da6982a", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", diff --git a/ics-attack/relationship/relationship--28b06a92-2933-49f5-887e-c09cf1bb861f.json b/ics-attack/relationship/relationship--28b06a92-2933-49f5-887e-c09cf1bb861f.json new file mode 100644 index 0000000000..86653ae0dd --- /dev/null +++ b/ics-attack/relationship/relationship--28b06a92-2933-49f5-887e-c09cf1bb861f.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--1324db1d-9eb3-401d-ac6a-cd66368775b7", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--28b06a92-2933-49f5-887e-c09cf1bb861f", + "created": "2026-04-22T22:52:28.627Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:18:25.444Z", + "description": "Implement network allowlists to minimize network access to only authorized hosts.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--28bb99c4-ac44-406c-bd5d-cabb273363fb.json b/ics-attack/relationship/relationship--28bb99c4-ac44-406c-bd5d-cabb273363fb.json new file mode 100644 index 0000000000..b6ba2220be --- /dev/null +++ b/ics-attack/relationship/relationship--28bb99c4-ac44-406c-bd5d-cabb273363fb.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--382f4797-5288-4e26-9a86-382cd752f532", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--28bb99c4-ac44-406c-bd5d-cabb273363fb", + "created": "2026-04-23T00:28:35.816Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:38:38.883Z", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--302eb257-cd1f-468e-a9f2-3229a7737bb1.json b/ics-attack/relationship/relationship--28d4feb4-7a87-4376-8401-d579f830472b.json similarity index 75% rename from ics-attack/relationship/relationship--302eb257-cd1f-468e-a9f2-3229a7737bb1.json rename to ics-attack/relationship/relationship--28d4feb4-7a87-4376-8401-d579f830472b.json index d3398b8aa4..ec5c89096d 100644 --- a/ics-attack/relationship/relationship--302eb257-cd1f-468e-a9f2-3229a7737bb1.json +++ b/ics-attack/relationship/relationship--28d4feb4-7a87-4376-8401-d579f830472b.json @@ -1,21 +1,21 @@ { "type": "bundle", - "id": "bundle--c02668db-72ae-4f04-96fe-15a5943342e0", + "id": "bundle--2915841c-a3de-475d-97b5-9bad11183361", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--302eb257-cd1f-468e-a9f2-3229a7737bb1", + "id": "relationship--28d4feb4-7a87-4376-8401-d579f830472b", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--4ea060f9-f6fc-4122-9544-70afd567ea10", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" diff --git a/ics-attack/relationship/relationship--28e89bca-04a2-462f-9d84-d5dc4d55d98e.json b/ics-attack/relationship/relationship--28e89bca-04a2-462f-9d84-d5dc4d55d98e.json index 12559b15f7..470cb432e1 100644 --- a/ics-attack/relationship/relationship--28e89bca-04a2-462f-9d84-d5dc4d55d98e.json +++ b/ics-attack/relationship/relationship--28e89bca-04a2-462f-9d84-d5dc4d55d98e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dfb35220-1dbc-4622-9594-7c809c253741", + "id": "bundle--009d4666-82ef-4276-a69a-65f73029ceb8", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--28e89bca-04a2-462f-9d84-d5dc4d55d98e", "created": "2023-09-28T21:26:47.115Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:39.000Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--29397fec-dc16-4407-81a2-9e53cc082570.json b/ics-attack/relationship/relationship--29397fec-dc16-4407-81a2-9e53cc082570.json new file mode 100644 index 0000000000..11b20c4346 --- /dev/null +++ b/ics-attack/relationship/relationship--29397fec-dc16-4407-81a2-9e53cc082570.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--5bca83ef-af72-41aa-9ee6-ca81407de7f5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--29397fec-dc16-4407-81a2-9e53cc082570", + "created": "2026-04-22T13:29:48.617Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T13:29:48.617Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--296375b0-817d-4f42-afe1-4308f5edf973.json b/ics-attack/relationship/relationship--296375b0-817d-4f42-afe1-4308f5edf973.json index c5883fd712..baf91e1ee3 100644 --- a/ics-attack/relationship/relationship--296375b0-817d-4f42-afe1-4308f5edf973.json +++ b/ics-attack/relationship/relationship--296375b0-817d-4f42-afe1-4308f5edf973.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4d7b3ae0-15fc-4682-ae9d-ca5b5cac92cd", + "id": "bundle--cf26e353-bc0b-4da0-a589-7a75732355fe", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--296375b0-817d-4f42-afe1-4308f5edf973", "created": "2023-09-28T21:10:25.193Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:39.198Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--2971151c-0e8a-4567-84dc-01cf5dd35005.json b/ics-attack/relationship/relationship--2971151c-0e8a-4567-84dc-01cf5dd35005.json index 825c66f842..d3669082f0 100644 --- a/ics-attack/relationship/relationship--2971151c-0e8a-4567-84dc-01cf5dd35005.json +++ b/ics-attack/relationship/relationship--2971151c-0e8a-4567-84dc-01cf5dd35005.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--946dd167-566d-4396-b39c-69f1d5255a83", + "id": "bundle--91c08634-e91d-4222-a37b-1519da0d0717", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--29c2757d-c5f6-4c8d-bbdd-3629cb14dd81.json b/ics-attack/relationship/relationship--29c2757d-c5f6-4c8d-bbdd-3629cb14dd81.json index af261648f6..3e77d6b0f8 100644 --- a/ics-attack/relationship/relationship--29c2757d-c5f6-4c8d-bbdd-3629cb14dd81.json +++ b/ics-attack/relationship/relationship--29c2757d-c5f6-4c8d-bbdd-3629cb14dd81.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--68862d06-aa2e-41e7-95b9-2d7663f54e4b", + "id": "bundle--04caf514-23e1-4731-9d02-44e00a4512cf", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--29c2757d-c5f6-4c8d-bbdd-3629cb14dd81", "created": "2023-09-29T18:46:39.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:39.889Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--29ebbcee-3c41-42e1-8a3e-1c6678ca5ece.json b/ics-attack/relationship/relationship--29ebbcee-3c41-42e1-8a3e-1c6678ca5ece.json index 2a1d0c8dd8..c4bc8b4952 100644 --- a/ics-attack/relationship/relationship--29ebbcee-3c41-42e1-8a3e-1c6678ca5ece.json +++ b/ics-attack/relationship/relationship--29ebbcee-3c41-42e1-8a3e-1c6678ca5ece.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eba4b922-2017-4ab8-a618-c214d461ece8", + "id": "bundle--454d5c33-16c9-46b9-895c-31647b45f16b", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--29ebbcee-3c41-42e1-8a3e-1c6678ca5ece", "created": "2025-09-29T19:46:51.576Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--2a451896-81aa-4eed-a444-4d04661adeeb.json b/ics-attack/relationship/relationship--2a451896-81aa-4eed-a444-4d04661adeeb.json index ee2785579d..241b63683d 100644 --- a/ics-attack/relationship/relationship--2a451896-81aa-4eed-a444-4d04661adeeb.json +++ b/ics-attack/relationship/relationship--2a451896-81aa-4eed-a444-4d04661adeeb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0ca1dafe-7978-4abe-8e87-170db9189806", + "id": "bundle--b7b74671-65c4-479d-a76c-aa8ea483a497", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--2a451896-81aa-4eed-a444-4d04661adeeb", "created": "2023-09-29T16:43:42.911Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:40.097Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--2aaa6840-47fc-455c-9b19-1d27c3afccbe.json b/ics-attack/relationship/relationship--2aaa6840-47fc-455c-9b19-1d27c3afccbe.json index c9027290c3..5b156e6d3b 100644 --- a/ics-attack/relationship/relationship--2aaa6840-47fc-455c-9b19-1d27c3afccbe.json +++ b/ics-attack/relationship/relationship--2aaa6840-47fc-455c-9b19-1d27c3afccbe.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bd60d2e8-3ab8-41a9-9be2-bc6089cccc6b", + "id": "bundle--ccc732d4-827b-432b-9744-3f98bb13fd08", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--2aaa6840-47fc-455c-9b19-1d27c3afccbe", "created": "2023-09-28T19:38:46.361Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:40.314Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--2ad5f781-1f7c-4bb9-984a-9299a307132f.json b/ics-attack/relationship/relationship--2ad5f781-1f7c-4bb9-984a-9299a307132f.json new file mode 100644 index 0000000000..21184c2603 --- /dev/null +++ b/ics-attack/relationship/relationship--2ad5f781-1f7c-4bb9-984a-9299a307132f.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--10506e20-07c8-4dae-8d1b-f7250b54621b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--2ad5f781-1f7c-4bb9-984a-9299a307132f", + "created": "2026-04-22T16:40:40.952Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:40:40.952Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566.json b/ics-attack/relationship/relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566.json index 3bb89734a4..c940fc8666 100644 --- a/ics-attack/relationship/relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566.json +++ b/ics-attack/relationship/relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5d2af9d0-ea6e-48f0-a2aa-9cddd9ef63a4", + "id": "bundle--3998b5bf-5294-4b4f-96a6-182417f5193a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2b7d57d7-3802-4b59-99c6-1e1597fe78d1.json b/ics-attack/relationship/relationship--2b7d57d7-3802-4b59-99c6-1e1597fe78d1.json index 58699497a1..dc293e8538 100644 --- a/ics-attack/relationship/relationship--2b7d57d7-3802-4b59-99c6-1e1597fe78d1.json +++ b/ics-attack/relationship/relationship--2b7d57d7-3802-4b59-99c6-1e1597fe78d1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fada44fc-f86f-4c71-8507-daf66cb1860b", + "id": "bundle--2c7f5a24-b0ef-4ae1-9656-0b1b74e6ec3b", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--2b7d57d7-3802-4b59-99c6-1e1597fe78d1", "created": "2023-09-29T18:46:54.684Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:40.766Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--2c1510bc-99d2-43d6-a58c-585d2dab485e.json b/ics-attack/relationship/relationship--2c1510bc-99d2-43d6-a58c-585d2dab485e.json index f5cdeff3ab..f942277efc 100644 --- a/ics-attack/relationship/relationship--2c1510bc-99d2-43d6-a58c-585d2dab485e.json +++ b/ics-attack/relationship/relationship--2c1510bc-99d2-43d6-a58c-585d2dab485e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a7d757df-ee7d-4e9a-b6e6-8558ad46653f", + "id": "bundle--030f0991-3506-46dc-8665-1857f0e0eb11", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--ffeac6e1-798f-41b1-8baf-2650d2ebe031", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", diff --git a/ics-attack/relationship/relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f.json b/ics-attack/relationship/relationship--2c6c4752-536e-4b96-86d7-7efe88350082.json similarity index 67% rename from ics-attack/relationship/relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f.json rename to ics-attack/relationship/relationship--2c6c4752-536e-4b96-86d7-7efe88350082.json index 01858e22f7..2057570e22 100644 --- a/ics-attack/relationship/relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f.json +++ b/ics-attack/relationship/relationship--2c6c4752-536e-4b96-86d7-7efe88350082.json @@ -1,24 +1,25 @@ { "type": "bundle", - "id": "bundle--d0effc14-a037-4a4b-ae48-8c43b0b22df0", + "id": "bundle--99549494-9777-4715-af8b-cdf3297edf36", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f", + "id": "relationship--2c6c4752-536e-4b96-86d7-7efe88350082", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:24:37.713Z", - "description": "Provide an alternative method for sending critical commands message to outstations, this could include using radio/cell communication to send messages to a field technician that physically performs the control function.\n", + "modified": "2026-04-23T15:26:14.965Z", + "description": "Provide an alternative method for sending critical command messages to outstations, this could include using radio/cell communication to send messages to a field technician that physically performs the control function.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "target_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2c79920a-f2d1-4114-a1df-924835da645c.json b/ics-attack/relationship/relationship--2c79920a-f2d1-4114-a1df-924835da645c.json index 70e1107142..fb16a38399 100644 --- a/ics-attack/relationship/relationship--2c79920a-f2d1-4114-a1df-924835da645c.json +++ b/ics-attack/relationship/relationship--2c79920a-f2d1-4114-a1df-924835da645c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--11571e5c-89b3-40e3-9679-e0ef734121f1", + "id": "bundle--641d5809-f186-4aa4-b6b9-fe0ccaad87eb", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--2c79920a-f2d1-4114-a1df-924835da645c", "created": "2023-09-28T19:53:00.672Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:40.983Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--2cd79563-0f5a-44a1-9be4-6dc330855d64.json b/ics-attack/relationship/relationship--2cd79563-0f5a-44a1-9be4-6dc330855d64.json index 310d9c9560..5978413b50 100644 --- a/ics-attack/relationship/relationship--2cd79563-0f5a-44a1-9be4-6dc330855d64.json +++ b/ics-attack/relationship/relationship--2cd79563-0f5a-44a1-9be4-6dc330855d64.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--46dc8ae0-3f7f-4e78-bb6a-f02536ccc4ab", + "id": "bundle--1719bcc2-5836-4ada-949d-e8fac2bd75f2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3212de2a-6635-4b95-aeb4-9c0744aed2ce.json b/ics-attack/relationship/relationship--2ce3d5d3-6575-4b4c-a67c-64fb31974540.json similarity index 71% rename from ics-attack/relationship/relationship--3212de2a-6635-4b95-aeb4-9c0744aed2ce.json rename to ics-attack/relationship/relationship--2ce3d5d3-6575-4b4c-a67c-64fb31974540.json index 95ca4cd031..efc8e844d6 100644 --- a/ics-attack/relationship/relationship--3212de2a-6635-4b95-aeb4-9c0744aed2ce.json +++ b/ics-attack/relationship/relationship--2ce3d5d3-6575-4b4c-a67c-64fb31974540.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--2b865712-bf98-48e0-ac52-aea6df0be53e", + "id": "bundle--c8197785-09a7-444a-9fb7-6b4bbda98cae", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--3212de2a-6635-4b95-aeb4-9c0744aed2ce", + "id": "relationship--2ce3d5d3-6575-4b4c-a67c-64fb31974540", "created": "2023-09-28T21:16:44.471Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:48.301Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "source_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2d0bed1d-342b-44a0-aec8-e6d7c6596fa2.json b/ics-attack/relationship/relationship--2d0bed1d-342b-44a0-aec8-e6d7c6596fa2.json index 54b5b78206..6eb968f95c 100644 --- a/ics-attack/relationship/relationship--2d0bed1d-342b-44a0-aec8-e6d7c6596fa2.json +++ b/ics-attack/relationship/relationship--2d0bed1d-342b-44a0-aec8-e6d7c6596fa2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--739a3dc7-36f7-46fe-a937-94e749461a1a", + "id": "bundle--50d11aae-8d1e-468b-927e-0fb489004a75", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--2d0bed1d-342b-44a0-aec8-e6d7c6596fa2", "created": "2023-09-29T16:33:12.887Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:41.964Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--2d17672c-ceaf-4fbb-8f3e-a00996b240c8.json b/ics-attack/relationship/relationship--2d17672c-ceaf-4fbb-8f3e-a00996b240c8.json new file mode 100644 index 0000000000..7a3d240e28 --- /dev/null +++ b/ics-attack/relationship/relationship--2d17672c-ceaf-4fbb-8f3e-a00996b240c8.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--dbb89bce-2164-4c4d-9204-2f52e14da63c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--2d17672c-ceaf-4fbb-8f3e-a00996b240c8", + "created": "2026-04-22T20:26:56.868Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + }, + { + "source_name": "Dragos ELECTRUM JAN 2026", + "description": "https://5943619.hs-sites.com/hubfs/Reports/dragos-2025-poland-attack-report.pdf. (2026, January). ELECTRUM: CYBER ATTACK ON POLAND\u2019S ELECTRIC SYSTEM 2025. Retrieved April 22, 2026.", + "url": "https://5943619.hs-sites.com/hubfs/Reports/dragos-2025-poland-attack-report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:43:53.991Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries wiped devices and also damaged Mikronika RTUs, Hitachi Relion Protection and Control Relays (IEDs), and HMI workstations resulting in a loss of communications and view between the facility and the distribution system operators (DSO).(Citation: CERT Polska)(Citation: Dragos ELECTRUM JAN 2026)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--bf5356b1-d00e-43c3-ba92-ae504a737d76.json b/ics-attack/relationship/relationship--2d312430-66d1-4549-a5f9-47abc2730e43.json similarity index 71% rename from ics-attack/relationship/relationship--bf5356b1-d00e-43c3-ba92-ae504a737d76.json rename to ics-attack/relationship/relationship--2d312430-66d1-4549-a5f9-47abc2730e43.json index 283c595881..bf709580c6 100644 --- a/ics-attack/relationship/relationship--bf5356b1-d00e-43c3-ba92-ae504a737d76.json +++ b/ics-attack/relationship/relationship--2d312430-66d1-4549-a5f9-47abc2730e43.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--ea481429-0318-46cc-9639-cbfa135adb7d", + "id": "bundle--c73f0fd6-5951-4758-97bf-e7095c9f3a3f", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--bf5356b1-d00e-43c3-ba92-ae504a737d76", + "id": "relationship--2d312430-66d1-4549-a5f9-47abc2730e43", "created": "2023-09-29T16:46:12.472Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:30.059Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "source_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2d621264-4a6d-4bc7-abaf-89a89c2ef813.json b/ics-attack/relationship/relationship--2d621264-4a6d-4bc7-abaf-89a89c2ef813.json new file mode 100644 index 0000000000..4744894420 --- /dev/null +++ b/ics-attack/relationship/relationship--2d621264-4a6d-4bc7-abaf-89a89c2ef813.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--4b79d700-bcac-4fa0-9e2f-2153fbcb867c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--2d621264-4a6d-4bc7-abaf-89a89c2ef813", + "created": "2026-04-22T16:03:38.326Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:51:51.532Z", + "description": "Devices should verify that firmware has been properly signed by the vendor before allowing installation.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca.json b/ics-attack/relationship/relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca.json index 9c347b0250..94daf1964f 100644 --- a/ics-attack/relationship/relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca.json +++ b/ics-attack/relationship/relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2d449ee1-6de1-4080-856f-03b0f11b7a10", + "id": "bundle--31b265a9-189f-4434-bd18-cf7cbb7c8240", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2dc39956-05d1-4dd5-86db-cb70568d73fe.json b/ics-attack/relationship/relationship--2dc39956-05d1-4dd5-86db-cb70568d73fe.json index b44c94298c..d02793e841 100644 --- a/ics-attack/relationship/relationship--2dc39956-05d1-4dd5-86db-cb70568d73fe.json +++ b/ics-attack/relationship/relationship--2dc39956-05d1-4dd5-86db-cb70568d73fe.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0eda54fe-4dd4-4970-9370-95a99af9e396", + "id": "bundle--0b4ea1ac-2e3e-4099-858d-a08ad915771e", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--2dc39956-05d1-4dd5-86db-cb70568d73fe", "created": "2023-09-29T17:39:15.857Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:42.621Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--2dd1d205-55e4-4226-9221-5839f2268e57.json b/ics-attack/relationship/relationship--2dd1d205-55e4-4226-9221-5839f2268e57.json new file mode 100644 index 0000000000..8b6d12264a --- /dev/null +++ b/ics-attack/relationship/relationship--2dd1d205-55e4-4226-9221-5839f2268e57.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--b807878d-aa5f-4265-b449-b3bd42a3a061", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--2dd1d205-55e4-4226-9221-5839f2268e57", + "created": "2026-04-22T20:24:29.733Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:24:29.733Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries corrupted the firmware in the Hitachi RTUs resulting in a fault that triggered a reboot loop.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--07c0e166-f05e-413f-8f3e-f487317c9626.json b/ics-attack/relationship/relationship--2de38f5e-b97c-498a-a4c9-f13e5d2d233c.json similarity index 77% rename from ics-attack/relationship/relationship--07c0e166-f05e-413f-8f3e-f487317c9626.json rename to ics-attack/relationship/relationship--2de38f5e-b97c-498a-a4c9-f13e5d2d233c.json index 074299a356..6a8a1341df 100644 --- a/ics-attack/relationship/relationship--07c0e166-f05e-413f-8f3e-f487317c9626.json +++ b/ics-attack/relationship/relationship--2de38f5e-b97c-498a-a4c9-f13e5d2d233c.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--40ca2693-6b54-490e-ba61-938b8fc71e2c", + "id": "bundle--6361c35e-db6c-47f8-81e4-4eb95101d447", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--07c0e166-f05e-413f-8f3e-f487317c9626", + "id": "relationship--2de38f5e-b97c-498a-a4c9-f13e5d2d233c", "created": "2023-03-22T15:53:59.953Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -16,10 +16,10 @@ "description": "Devices and programs that receive command messages from remote systems (e.g., control servers) should verify those commands before taking any actions on them.", "relationship_type": "mitigates", "source_ref": "course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2e32e0fd-24cf-4a41-b56d-98ada9f1db8a.json b/ics-attack/relationship/relationship--2e32e0fd-24cf-4a41-b56d-98ada9f1db8a.json index a64e1ede41..c016f7702b 100644 --- a/ics-attack/relationship/relationship--2e32e0fd-24cf-4a41-b56d-98ada9f1db8a.json +++ b/ics-attack/relationship/relationship--2e32e0fd-24cf-4a41-b56d-98ada9f1db8a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8a2a56b1-b487-42ed-8abc-9fc8710e1f60", + "id": "bundle--d912b9ce-eb5f-4b05-a9ab-69d79c760fcf", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--2e32e0fd-24cf-4a41-b56d-98ada9f1db8a", "created": "2023-09-28T19:40:51.425Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:43.048Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--2e5f338d-92c4-4647-8fef-7c901ff774f5.json b/ics-attack/relationship/relationship--2e5f338d-92c4-4647-8fef-7c901ff774f5.json index 330c88d063..8fdb970662 100644 --- a/ics-attack/relationship/relationship--2e5f338d-92c4-4647-8fef-7c901ff774f5.json +++ b/ics-attack/relationship/relationship--2e5f338d-92c4-4647-8fef-7c901ff774f5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1b9b7941-b026-4c18-bf9b-e224b7b42ce5", + "id": "bundle--8c4376b2-521d-447a-9fca-637df2786238", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2e9a021d-6dbe-4ee5-a98b-041bb13d2836.json b/ics-attack/relationship/relationship--2e9a021d-6dbe-4ee5-a98b-041bb13d2836.json new file mode 100644 index 0000000000..8c49ec2573 --- /dev/null +++ b/ics-attack/relationship/relationship--2e9a021d-6dbe-4ee5-a98b-041bb13d2836.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--e612ab39-ce19-4f7c-b7bd-b778cf975394", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--2e9a021d-6dbe-4ee5-a98b-041bb13d2836", + "created": "2026-04-22T16:38:10.305Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:38:10.305Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2ecc567f-3aaa-4bd8-935f-4808d177a552.json b/ics-attack/relationship/relationship--2ecc567f-3aaa-4bd8-935f-4808d177a552.json index ac72da8e17..9ba5cce66a 100644 --- a/ics-attack/relationship/relationship--2ecc567f-3aaa-4bd8-935f-4808d177a552.json +++ b/ics-attack/relationship/relationship--2ecc567f-3aaa-4bd8-935f-4808d177a552.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--843b5bb5-02a5-450a-8881-6db47ff3d8b3", + "id": "bundle--35ba5080-4dd5-4603-866d-6caa1b100bbb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2ecf9476-b546-44ff-8547-4ca56cf7eeb8.json b/ics-attack/relationship/relationship--2ecf9476-b546-44ff-8547-4ca56cf7eeb8.json index 48f7d4ba95..2b6f7998ea 100644 --- a/ics-attack/relationship/relationship--2ecf9476-b546-44ff-8547-4ca56cf7eeb8.json +++ b/ics-attack/relationship/relationship--2ecf9476-b546-44ff-8547-4ca56cf7eeb8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4376b18d-28cd-4e50-bfcb-f0b1aae26137", + "id": "bundle--9f1046cf-e7af-4c60-abbd-9d9bf0c9b2eb", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--2ecf9476-b546-44ff-8547-4ca56cf7eeb8", "created": "2023-09-28T20:02:05.365Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:43.954Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--2f0d1a71-7cb6-4979-b072-a859d117d47f.json b/ics-attack/relationship/relationship--2f0d1a71-7cb6-4979-b072-a859d117d47f.json index 4756c64971..c77cb852cb 100644 --- a/ics-attack/relationship/relationship--2f0d1a71-7cb6-4979-b072-a859d117d47f.json +++ b/ics-attack/relationship/relationship--2f0d1a71-7cb6-4979-b072-a859d117d47f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fd38ae49-fa3a-4819-bd4a-e6a792ca9967", + "id": "bundle--dd8215dd-21be-4361-82ff-f08957da051c", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--2f0d1a71-7cb6-4979-b072-a859d117d47f", "created": "2023-09-27T14:47:29.337Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", diff --git a/ics-attack/relationship/relationship--19c0d2bc-8de9-47c3-a1ee-63abc07c4348.json b/ics-attack/relationship/relationship--2f15fa70-7e2d-4ef3-9654-0404e71ac343.json similarity index 84% rename from ics-attack/relationship/relationship--19c0d2bc-8de9-47c3-a1ee-63abc07c4348.json rename to ics-attack/relationship/relationship--2f15fa70-7e2d-4ef3-9654-0404e71ac343.json index a7b5378d02..3925d7a4a9 100644 --- a/ics-attack/relationship/relationship--19c0d2bc-8de9-47c3-a1ee-63abc07c4348.json +++ b/ics-attack/relationship/relationship--2f15fa70-7e2d-4ef3-9654-0404e71ac343.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--0a3d3307-8f36-4d8f-b8cd-0bd8bd54eec0", + "id": "bundle--4d3a779c-bdbf-4a78-a0bd-d56d78cd95bf", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--19c0d2bc-8de9-47c3-a1ee-63abc07c4348", + "id": "relationship--2f15fa70-7e2d-4ef3-9654-0404e71ac343", "created": "2022-09-28T21:18:55.279Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -23,10 +23,10 @@ "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can send custom Modbus commands to write register values on Schneider PLCs.(Citation: CISA-AA22-103A) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can send write tag values on OPC UA servers.(Citation: CISA-AA22-103A) ", "relationship_type": "uses", "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2f457bef-1721-4e0f-b236-24e4652a31b4.json b/ics-attack/relationship/relationship--2f457bef-1721-4e0f-b236-24e4652a31b4.json index 615d209b28..f7d3645511 100644 --- a/ics-attack/relationship/relationship--2f457bef-1721-4e0f-b236-24e4652a31b4.json +++ b/ics-attack/relationship/relationship--2f457bef-1721-4e0f-b236-24e4652a31b4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--41aa574b-3132-4214-9af8-3a5737529deb", + "id": "bundle--ab225ed9-2366-411b-901e-ee5733ee28b6", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--2f457bef-1721-4e0f-b236-24e4652a31b4", "created": "2023-09-29T16:29:53.181Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:44.422Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--2f64b5aa-7e4d-4a5e-9960-69a63ad25083.json b/ics-attack/relationship/relationship--2f64b5aa-7e4d-4a5e-9960-69a63ad25083.json index 7845d4bb25..b7f4676872 100644 --- a/ics-attack/relationship/relationship--2f64b5aa-7e4d-4a5e-9960-69a63ad25083.json +++ b/ics-attack/relationship/relationship--2f64b5aa-7e4d-4a5e-9960-69a63ad25083.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1ac45520-7158-4141-b0f8-84a2c42b6db1", + "id": "bundle--2bc168eb-6a55-4f41-a0ea-6b1e9c5dd469", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2f6b635b-1441-4ef0-9289-1ed6b9098d4a.json b/ics-attack/relationship/relationship--2f6b635b-1441-4ef0-9289-1ed6b9098d4a.json index 608d1045a7..eff174ae6e 100644 --- a/ics-attack/relationship/relationship--2f6b635b-1441-4ef0-9289-1ed6b9098d4a.json +++ b/ics-attack/relationship/relationship--2f6b635b-1441-4ef0-9289-1ed6b9098d4a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8d8db079-5daf-451f-ac43-54eb7da2ac6e", + "id": "bundle--62849746-b05d-4536-a895-158f56287a3a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2f7c49a0-89fe-4d18-915c-c321868d47bd.json b/ics-attack/relationship/relationship--2f7c49a0-89fe-4d18-915c-c321868d47bd.json index 950d5d6102..8ff4679d72 100644 --- a/ics-attack/relationship/relationship--2f7c49a0-89fe-4d18-915c-c321868d47bd.json +++ b/ics-attack/relationship/relationship--2f7c49a0-89fe-4d18-915c-c321868d47bd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0627e7e8-7239-4fa5-b68b-464d4489f8ca", + "id": "bundle--57e88d71-6282-4758-9ec0-995f8fff4526", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--2f7c49a0-89fe-4d18-915c-c321868d47bd", "created": "2024-04-09T21:02:56.157Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:45.125Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--48489baf-56c2-423e-964a-0a61688e4a19.json b/ics-attack/relationship/relationship--2f8c9deb-aefe-4fa3-b00c-ec15fd154233.json similarity index 77% rename from ics-attack/relationship/relationship--48489baf-56c2-423e-964a-0a61688e4a19.json rename to ics-attack/relationship/relationship--2f8c9deb-aefe-4fa3-b00c-ec15fd154233.json index 22dd142e86..f50cd14fb3 100644 --- a/ics-attack/relationship/relationship--48489baf-56c2-423e-964a-0a61688e4a19.json +++ b/ics-attack/relationship/relationship--2f8c9deb-aefe-4fa3-b00c-ec15fd154233.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--28adef63-43f7-41e7-a214-6eaf61ae1524", + "id": "bundle--64ec7d3e-48ca-4e1c-a07b-3ae6c8411507", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--48489baf-56c2-423e-964a-0a61688e4a19", + "id": "relationship--2f8c9deb-aefe-4fa3-b00c-ec15fd154233", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2f9c25af-d2e2-4793-85bf-6e2696384a50.json b/ics-attack/relationship/relationship--2f9c25af-d2e2-4793-85bf-6e2696384a50.json index aa8ac44832..7b0d43ca9d 100644 --- a/ics-attack/relationship/relationship--2f9c25af-d2e2-4793-85bf-6e2696384a50.json +++ b/ics-attack/relationship/relationship--2f9c25af-d2e2-4793-85bf-6e2696384a50.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--13bb5440-7f29-402c-9e57-b06a06b14c8f", + "id": "bundle--f862e4ed-b3c0-4b4a-b03d-be3d100453ca", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--2f9c25af-d2e2-4793-85bf-6e2696384a50", "created": "2023-09-28T20:30:21.865Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:45.376Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--2fbb7867-79c5-4d45-9876-98c4041dd72e.json b/ics-attack/relationship/relationship--2fbb7867-79c5-4d45-9876-98c4041dd72e.json index 08f2491889..40678a54de 100644 --- a/ics-attack/relationship/relationship--2fbb7867-79c5-4d45-9876-98c4041dd72e.json +++ b/ics-attack/relationship/relationship--2fbb7867-79c5-4d45-9876-98c4041dd72e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5453a0c4-d747-4e2b-a33f-745116c4ef51", + "id": "bundle--d25c4b70-ea5c-45f1-81ee-3042f88c2936", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0.json b/ics-attack/relationship/relationship--2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0.json index c5a2e20a59..e55a13e87b 100644 --- a/ics-attack/relationship/relationship--2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0.json +++ b/ics-attack/relationship/relationship--2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b8e0cacf-953c-4b40-8f33-908236763351", + "id": "bundle--3f3f819a-f42e-4961-a9b1-c89ec11728d1", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", diff --git a/ics-attack/relationship/relationship--2fd35996-196f-4a58-9dab-07f52c74f4d3.json b/ics-attack/relationship/relationship--2fd35996-196f-4a58-9dab-07f52c74f4d3.json new file mode 100644 index 0000000000..85975b2d81 --- /dev/null +++ b/ics-attack/relationship/relationship--2fd35996-196f-4a58-9dab-07f52c74f4d3.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--975c1313-f513-49e3-ae55-b42c00fa37ef", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--2fd35996-196f-4a58-9dab-07f52c74f4d3", + "created": "2026-04-20T20:54:17.065Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:17.065Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", + "target_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2fd8a76f-4663-4251-a16d-e1f105a854f9.json b/ics-attack/relationship/relationship--2fd8a76f-4663-4251-a16d-e1f105a854f9.json index e1b26e1f2c..3b57e53e88 100644 --- a/ics-attack/relationship/relationship--2fd8a76f-4663-4251-a16d-e1f105a854f9.json +++ b/ics-attack/relationship/relationship--2fd8a76f-4663-4251-a16d-e1f105a854f9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9641e3f5-454a-4e2a-ba2f-6d88dd224693", + "id": "bundle--be1763c4-362c-47f5-a0f8-cea6adf1835f", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--2fd8a76f-4663-4251-a16d-e1f105a854f9", "created": "2023-09-28T19:43:28.167Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:46.041Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--2ff351dc-5b86-4a5b-b0f0-7ac1af8f891f.json b/ics-attack/relationship/relationship--2ff351dc-5b86-4a5b-b0f0-7ac1af8f891f.json index 8734fb00c6..edcff70000 100644 --- a/ics-attack/relationship/relationship--2ff351dc-5b86-4a5b-b0f0-7ac1af8f891f.json +++ b/ics-attack/relationship/relationship--2ff351dc-5b86-4a5b-b0f0-7ac1af8f891f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d564eb90-e372-47e6-86d2-91f4390ba050", + "id": "bundle--cbf0fb70-e38e-40b7-9b42-6fb0c5250fd5", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--336b9423-5543-4354-bd00-13c614ccdc96", "target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", diff --git a/ics-attack/relationship/relationship--2ff82993-5010-4450-89e7-341f449f3263.json b/ics-attack/relationship/relationship--2ff82993-5010-4450-89e7-341f449f3263.json index 0adeed2ed1..9fa879eb1d 100644 --- a/ics-attack/relationship/relationship--2ff82993-5010-4450-89e7-341f449f3263.json +++ b/ics-attack/relationship/relationship--2ff82993-5010-4450-89e7-341f449f3263.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9229098b-e119-4cda-b258-131ce5724268", + "id": "bundle--5f2069d4-3643-45ba-b66c-757afb5d218d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2fffbea8-c031-4de8-a451-447bbbe3e224.json b/ics-attack/relationship/relationship--2fffbea8-c031-4de8-a451-447bbbe3e224.json index c714d5bf25..063fa7ed97 100644 --- a/ics-attack/relationship/relationship--2fffbea8-c031-4de8-a451-447bbbe3e224.json +++ b/ics-attack/relationship/relationship--2fffbea8-c031-4de8-a451-447bbbe3e224.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ec391f19-d223-47a3-9d75-20ae0bd42926", + "id": "bundle--528eaffd-cf1d-47de-8ecd-3d5d20c0a0df", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba.json b/ics-attack/relationship/relationship--3003564d-fb12-4509-946b-818e4e5b8431.json similarity index 73% rename from ics-attack/relationship/relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba.json rename to ics-attack/relationship/relationship--3003564d-fb12-4509-946b-818e4e5b8431.json index ed4768f643..b064645e17 100644 --- a/ics-attack/relationship/relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba.json +++ b/ics-attack/relationship/relationship--3003564d-fb12-4509-946b-818e4e5b8431.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--677a8c86-a04c-4875-8566-0b88f44418d7", + "id": "bundle--80476907-822d-4093-84c5-cccd19cc9a5f", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba", + "id": "relationship--3003564d-fb12-4509-946b-818e4e5b8431", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "Devices should authenticate all messages between master and outstation assets.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--30227ffe-9019-4fed-9ee2-e4cfba77e3ec.json b/ics-attack/relationship/relationship--30227ffe-9019-4fed-9ee2-e4cfba77e3ec.json new file mode 100644 index 0000000000..22f2612baa --- /dev/null +++ b/ics-attack/relationship/relationship--30227ffe-9019-4fed-9ee2-e4cfba77e3ec.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--0cdb1d13-2929-49e7-9a31-d46f86821d5b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--30227ffe-9019-4fed-9ee2-e4cfba77e3ec", + "created": "2026-04-22T20:42:19.762Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:42:19.762Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--305866af-1f36-49e0-a57d-d5faaf29011c.json b/ics-attack/relationship/relationship--305866af-1f36-49e0-a57d-d5faaf29011c.json index 6020b201e0..b0d3414fe6 100644 --- a/ics-attack/relationship/relationship--305866af-1f36-49e0-a57d-d5faaf29011c.json +++ b/ics-attack/relationship/relationship--305866af-1f36-49e0-a57d-d5faaf29011c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0fbdad65-7865-4894-98a1-08d07689b057", + "id": "bundle--ca9c378c-1795-4aaf-b7a3-193edb50dd6a", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--305866af-1f36-49e0-a57d-d5faaf29011c", "created": "2023-09-28T20:34:52.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:46.946Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--3066ddc9-b4e8-41b6-a28f-9de5030cb714.json b/ics-attack/relationship/relationship--3066ddc9-b4e8-41b6-a28f-9de5030cb714.json new file mode 100644 index 0000000000..465c30f438 --- /dev/null +++ b/ics-attack/relationship/relationship--3066ddc9-b4e8-41b6-a28f-9de5030cb714.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--56232217-f57d-4b11-ab71-b53a9e0132d6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3066ddc9-b4e8-41b6-a28f-9de5030cb714", + "created": "2026-04-22T15:56:30.348Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T15:56:30.348Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--73773bb8-c63b-4d48-9b48-33440f12a514", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--309e4558-e591-4d03-9bb9-07d30acf011f.json b/ics-attack/relationship/relationship--309e4558-e591-4d03-9bb9-07d30acf011f.json index a5cf1bf79c..7548d91260 100644 --- a/ics-attack/relationship/relationship--309e4558-e591-4d03-9bb9-07d30acf011f.json +++ b/ics-attack/relationship/relationship--309e4558-e591-4d03-9bb9-07d30acf011f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f5471e23-5d53-467c-8231-68138bd37194", + "id": "bundle--feb039bd-6c1d-49c2-bccc-e74c9989237b", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--309e4558-e591-4d03-9bb9-07d30acf011f", "created": "2021-04-12T18:49:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "McAfee Labs October 2019", diff --git a/ics-attack/relationship/relationship--314a1b91-167a-4ad5-a36b-8bbdbd286540.json b/ics-attack/relationship/relationship--314a1b91-167a-4ad5-a36b-8bbdbd286540.json index 9c2dd8fac3..7cd5997d61 100644 --- a/ics-attack/relationship/relationship--314a1b91-167a-4ad5-a36b-8bbdbd286540.json +++ b/ics-attack/relationship/relationship--314a1b91-167a-4ad5-a36b-8bbdbd286540.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e2d7ea84-164d-42d8-ae51-958bf5c9f4b0", + "id": "bundle--afdbd306-58c9-4966-9870-a2570e8ab1a9", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--c94af5cb-61c3-4180-81e7-30c1669f4252", "target_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", diff --git a/ics-attack/relationship/relationship--66738beb-0a33-4d70-baec-8307b5b34f80.json b/ics-attack/relationship/relationship--316110bc-9b4c-41e4-96eb-d8051a4fda6c.json similarity index 71% rename from ics-attack/relationship/relationship--66738beb-0a33-4d70-baec-8307b5b34f80.json rename to ics-attack/relationship/relationship--316110bc-9b4c-41e4-96eb-d8051a4fda6c.json index 71e9ce1847..e942e5532c 100644 --- a/ics-attack/relationship/relationship--66738beb-0a33-4d70-baec-8307b5b34f80.json +++ b/ics-attack/relationship/relationship--316110bc-9b4c-41e4-96eb-d8051a4fda6c.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--514ab6ad-a879-4e64-8c19-a7bc11ce064b", + "id": "bundle--c7998f7b-8e0f-459b-907a-f562dff53e1b", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--66738beb-0a33-4d70-baec-8307b5b34f80", + "id": "relationship--316110bc-9b4c-41e4-96eb-d8051a4fda6c", "created": "2023-09-28T20:16:05.975Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:47.650Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--317ce6a3-7767-4be3-a201-004368f1b2ec.json b/ics-attack/relationship/relationship--317ce6a3-7767-4be3-a201-004368f1b2ec.json index 0b4ca54aaf..3314d47cf7 100644 --- a/ics-attack/relationship/relationship--317ce6a3-7767-4be3-a201-004368f1b2ec.json +++ b/ics-attack/relationship/relationship--317ce6a3-7767-4be3-a201-004368f1b2ec.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6dc2bd32-1e1d-4cd1-aae0-2524246da9c0", + "id": "bundle--bcef9af1-542a-404d-9201-95c8b201a8dd", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--317ce6a3-7767-4be3-a201-004368f1b2ec", "created": "2025-09-29T19:53:08.323Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--31897c41-1d47-4a34-b531-21c3f74651a8.json b/ics-attack/relationship/relationship--31897c41-1d47-4a34-b531-21c3f74651a8.json index 8038c7399d..922deb140f 100644 --- a/ics-attack/relationship/relationship--31897c41-1d47-4a34-b531-21c3f74651a8.json +++ b/ics-attack/relationship/relationship--31897c41-1d47-4a34-b531-21c3f74651a8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--aba01b0e-8b8a-489e-943d-c7b6e6dcce9a", + "id": "bundle--19ac70b2-6b99-4787-8fdd-a51cbf06012d", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--31897c41-1d47-4a34-b531-21c3f74651a8", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", diff --git a/ics-attack/relationship/relationship--31b8d0d3-2e81-4367-80c0-1173988e77d7.json b/ics-attack/relationship/relationship--31b8d0d3-2e81-4367-80c0-1173988e77d7.json new file mode 100644 index 0000000000..66c1b68a59 --- /dev/null +++ b/ics-attack/relationship/relationship--31b8d0d3-2e81-4367-80c0-1173988e77d7.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--2c0e0769-e1b2-46b1-be5d-7929575cf2a8", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--31b8d0d3-2e81-4367-80c0-1173988e77d7", + "created": "2026-04-23T00:04:58.358Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:33:04.080Z", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--31bf1721-78a2-4b6c-b325-5c44dc02ea33.json b/ics-attack/relationship/relationship--31bf1721-78a2-4b6c-b325-5c44dc02ea33.json index 39c291fd94..5e12f21bca 100644 --- a/ics-attack/relationship/relationship--31bf1721-78a2-4b6c-b325-5c44dc02ea33.json +++ b/ics-attack/relationship/relationship--31bf1721-78a2-4b6c-b325-5c44dc02ea33.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--994d8a09-f4ec-476b-a337-e0c4aec08969", + "id": "bundle--880ea530-87a2-4be2-93c7-464dd2d7920c", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--31bf1721-78a2-4b6c-b325-5c44dc02ea33", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Eduard Kovacs March 2018", diff --git a/ics-attack/relationship/relationship--31e67caf-6b34-4651-96fc-5b97609c843a.json b/ics-attack/relationship/relationship--31e67caf-6b34-4651-96fc-5b97609c843a.json index de958d37c0..008dbd0911 100644 --- a/ics-attack/relationship/relationship--31e67caf-6b34-4651-96fc-5b97609c843a.json +++ b/ics-attack/relationship/relationship--31e67caf-6b34-4651-96fc-5b97609c843a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a92adb36-39ac-48f4-b8fd-c4a3e3b3d61b", + "id": "bundle--e8dca629-0046-41a3-9c91-9c6ec421e320", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--ad675d25-2829-48e5-8475-28f1ed5d813a", "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", diff --git a/ics-attack/relationship/relationship--321dfef3-01bf-40ee-901e-6354b945c31a.json b/ics-attack/relationship/relationship--321dfef3-01bf-40ee-901e-6354b945c31a.json index e2906f406d..23046b5f95 100644 --- a/ics-attack/relationship/relationship--321dfef3-01bf-40ee-901e-6354b945c31a.json +++ b/ics-attack/relationship/relationship--321dfef3-01bf-40ee-901e-6354b945c31a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fd80568f-5e02-4a3e-ab68-67840f2a5b81", + "id": "bundle--4e8c7c2d-608d-4ad3-a37e-e5647aab11b4", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--b6a6d95c-e3b5-438d-a095-3fb0859c8f45", "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", diff --git a/ics-attack/relationship/relationship--32438a90-406c-40f7-a5ac-a1ca92cd51d5.json b/ics-attack/relationship/relationship--32438a90-406c-40f7-a5ac-a1ca92cd51d5.json index cd9f3d2571..e71dee67b6 100644 --- a/ics-attack/relationship/relationship--32438a90-406c-40f7-a5ac-a1ca92cd51d5.json +++ b/ics-attack/relationship/relationship--32438a90-406c-40f7-a5ac-a1ca92cd51d5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3ee8c66f-7bda-4b57-93c4-41fce7f9217e", + "id": "bundle--ee586846-0733-445d-8d48-7c5543013b42", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--32438a90-406c-40f7-a5ac-a1ca92cd51d5", "created": "2023-09-28T20:26:15.542Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:48.778Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--327916f7-fe5d-4858-adeb-f72f74c60c25.json b/ics-attack/relationship/relationship--327916f7-fe5d-4858-adeb-f72f74c60c25.json index 7958d69582..e3d957a146 100644 --- a/ics-attack/relationship/relationship--327916f7-fe5d-4858-adeb-f72f74c60c25.json +++ b/ics-attack/relationship/relationship--327916f7-fe5d-4858-adeb-f72f74c60c25.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c07b6fad-c798-4566-aed5-9d1e58799a71", + "id": "bundle--f11ac69f-8f66-4391-9601-44780122feea", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--327916f7-fe5d-4858-adeb-f72f74c60c25", "created": "2021-10-08T15:25:32.143Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", diff --git a/ics-attack/relationship/relationship--327f65bc-8a33-4dbb-88d4-714a9e42442b.json b/ics-attack/relationship/relationship--327f65bc-8a33-4dbb-88d4-714a9e42442b.json index c9a4b4b20e..ebd82920d6 100644 --- a/ics-attack/relationship/relationship--327f65bc-8a33-4dbb-88d4-714a9e42442b.json +++ b/ics-attack/relationship/relationship--327f65bc-8a33-4dbb-88d4-714a9e42442b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--02687b9e-d86f-4d01-943b-aeba6644e465", + "id": "bundle--7ce1b98b-72c1-4bf4-ab14-5c093296048c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--327f65bc-8a33-4dbb-88d4-714a9e42442b", "created": "2023-09-28T21:21:07.833Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:49.213Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--b4bb8bd7-8984-45de-888f-45c51ab157fa.json b/ics-attack/relationship/relationship--32b2bb93-7ddc-4f96-8bfd-2534309a9d75.json similarity index 71% rename from ics-attack/relationship/relationship--b4bb8bd7-8984-45de-888f-45c51ab157fa.json rename to ics-attack/relationship/relationship--32b2bb93-7ddc-4f96-8bfd-2534309a9d75.json index 330c2fb315..2d10b9a273 100644 --- a/ics-attack/relationship/relationship--b4bb8bd7-8984-45de-888f-45c51ab157fa.json +++ b/ics-attack/relationship/relationship--32b2bb93-7ddc-4f96-8bfd-2534309a9d75.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--2480a700-6309-487c-a158-e80719206aca", + "id": "bundle--fcbe69d6-2089-4589-b89f-b470617861ca", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--b4bb8bd7-8984-45de-888f-45c51ab157fa", + "id": "relationship--32b2bb93-7ddc-4f96-8bfd-2534309a9d75", "created": "2023-09-29T17:45:55.581Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:19.116Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "source_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--32bcf2cf-3311-4ef1-9bf4-4bfe14832b3b.json b/ics-attack/relationship/relationship--32bcf2cf-3311-4ef1-9bf4-4bfe14832b3b.json index 83816d9a93..60b05b0888 100644 --- a/ics-attack/relationship/relationship--32bcf2cf-3311-4ef1-9bf4-4bfe14832b3b.json +++ b/ics-attack/relationship/relationship--32bcf2cf-3311-4ef1-9bf4-4bfe14832b3b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ef87e649-dce1-48b4-8303-ec7da9de2529", + "id": "bundle--5cb8e6ac-99a6-425e-b92d-df47e959fcaa", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--32bcf2cf-3311-4ef1-9bf4-4bfe14832b3b", "created": "2023-09-28T20:10:23.215Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:49.426Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--32d15d1a-04ba-4035-907a-e2871425e8d1.json b/ics-attack/relationship/relationship--32d15d1a-04ba-4035-907a-e2871425e8d1.json index c8e6b45daa..1a41dce250 100644 --- a/ics-attack/relationship/relationship--32d15d1a-04ba-4035-907a-e2871425e8d1.json +++ b/ics-attack/relationship/relationship--32d15d1a-04ba-4035-907a-e2871425e8d1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f8a16c35-817d-43d9-92ca-b91de9e6b93d", + "id": "bundle--dec5648e-e9f5-463b-8821-f0c167352b0c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--32d15d1a-04ba-4035-907a-e2871425e8d1", "created": "2023-09-28T20:28:40.722Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:49.640Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--33215dfa-53d0-4bd7-a15d-cec9315c7c4d.json b/ics-attack/relationship/relationship--33215dfa-53d0-4bd7-a15d-cec9315c7c4d.json index e9fbaefb7c..bf1f7df4d9 100644 --- a/ics-attack/relationship/relationship--33215dfa-53d0-4bd7-a15d-cec9315c7c4d.json +++ b/ics-attack/relationship/relationship--33215dfa-53d0-4bd7-a15d-cec9315c7c4d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--99629ade-f2f0-475c-89d6-3242a7805996", + "id": "bundle--36ab7c28-8aca-4774-8a2f-6b8f7c778b34", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3334e647-fd5d-481d-a7f9-66f73911a57a.json b/ics-attack/relationship/relationship--3334e647-fd5d-481d-a7f9-66f73911a57a.json index 5c53cbcb90..3cb3de9cd7 100644 --- a/ics-attack/relationship/relationship--3334e647-fd5d-481d-a7f9-66f73911a57a.json +++ b/ics-attack/relationship/relationship--3334e647-fd5d-481d-a7f9-66f73911a57a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d0902fa8-5e6e-4b5a-86e6-6e24c651dde5", + "id": "bundle--612e647b-158d-46c8-a794-6d230e77121d", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--3334e647-fd5d-481d-a7f9-66f73911a57a", "created": "2023-09-28T19:45:30.291Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:50.097Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--337f366d-3d76-470c-8ee2-0e2252648282.json b/ics-attack/relationship/relationship--337f366d-3d76-470c-8ee2-0e2252648282.json index 3bcdc1ab24..0bc678446f 100644 --- a/ics-attack/relationship/relationship--337f366d-3d76-470c-8ee2-0e2252648282.json +++ b/ics-attack/relationship/relationship--337f366d-3d76-470c-8ee2-0e2252648282.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--455f251b-1669-46dd-a346-cdab95b50f46", + "id": "bundle--3478406a-fc0d-4e1a-a4c3-677622b1dd4a", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--337f366d-3d76-470c-8ee2-0e2252648282", "created": "2024-03-25T20:19:43.390Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--33974565-1d55-445f-9f6f-983707000cf4.json b/ics-attack/relationship/relationship--33974565-1d55-445f-9f6f-983707000cf4.json new file mode 100644 index 0000000000..ccc8691b07 --- /dev/null +++ b/ics-attack/relationship/relationship--33974565-1d55-445f-9f6f-983707000cf4.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--f9e834b8-ad95-4a16-82ca-ea447035dfbb", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--33974565-1d55-445f-9f6f-983707000cf4", + "created": "2026-04-22T22:50:10.723Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:50:10.723Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--33b1b49f-012d-4af3-835a-32d8c75b9e1b.json b/ics-attack/relationship/relationship--33b1b49f-012d-4af3-835a-32d8c75b9e1b.json new file mode 100644 index 0000000000..2e886636a6 --- /dev/null +++ b/ics-attack/relationship/relationship--33b1b49f-012d-4af3-835a-32d8c75b9e1b.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--3b1e2de0-6037-4bdb-a753-357bef733350", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--33b1b49f-012d-4af3-835a-32d8c75b9e1b", + "created": "2026-04-22T20:38:11.633Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:38:11.633Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3412e6dd-6adb-4c91-a5d8-c4f68dd362d5.json b/ics-attack/relationship/relationship--3412e6dd-6adb-4c91-a5d8-c4f68dd362d5.json index 060e51ff3a..85125bbebe 100644 --- a/ics-attack/relationship/relationship--3412e6dd-6adb-4c91-a5d8-c4f68dd362d5.json +++ b/ics-attack/relationship/relationship--3412e6dd-6adb-4c91-a5d8-c4f68dd362d5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--273347e2-5a3c-4914-82f7-08f4390f88bb", + "id": "bundle--9ecfab92-12e4-40d9-89d4-ae768f243918", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--3412e6dd-6adb-4c91-a5d8-c4f68dd362d5", "created": "2025-09-24T18:21:00.372Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--34535779-9957-4766-a7fc-e8d4dbfb5eee.json b/ics-attack/relationship/relationship--34535779-9957-4766-a7fc-e8d4dbfb5eee.json index 88b6aed05f..be41b445d2 100644 --- a/ics-attack/relationship/relationship--34535779-9957-4766-a7fc-e8d4dbfb5eee.json +++ b/ics-attack/relationship/relationship--34535779-9957-4766-a7fc-e8d4dbfb5eee.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dd3307c9-aaf7-4c18-a46f-1042b94db8f0", + "id": "bundle--c644ed0f-5a1c-4649-a553-53ae8d2322ee", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--34535779-9957-4766-a7fc-e8d4dbfb5eee", "created": "2025-09-24T17:57:06.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--345e698d-8302-4e84-9c5b-c3b78972c0e1.json b/ics-attack/relationship/relationship--345e698d-8302-4e84-9c5b-c3b78972c0e1.json new file mode 100644 index 0000000000..709001cdb7 --- /dev/null +++ b/ics-attack/relationship/relationship--345e698d-8302-4e84-9c5b-c3b78972c0e1.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--0fee69b8-c337-4f43-ae82-6000862b4a86", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--345e698d-8302-4e84-9c5b-c3b78972c0e1", + "created": "2026-04-22T13:54:38.311Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T13:54:38.311Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3471632d-253d-469e-9e8c-3b291b4ae88a.json b/ics-attack/relationship/relationship--3471632d-253d-469e-9e8c-3b291b4ae88a.json index af65b7df74..d6660e88ab 100644 --- a/ics-attack/relationship/relationship--3471632d-253d-469e-9e8c-3b291b4ae88a.json +++ b/ics-attack/relationship/relationship--3471632d-253d-469e-9e8c-3b291b4ae88a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--04b65daf-c78f-471d-bfe9-f64cc99a6499", + "id": "bundle--cfd5236c-9f18-46c9-b402-d613645d6b30", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--3471632d-253d-469e-9e8c-3b291b4ae88a", "created": "2023-09-28T21:14:15.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:51.437Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--3478c49c-594b-4224-b7f9-2b0b09c67288.json b/ics-attack/relationship/relationship--3478c49c-594b-4224-b7f9-2b0b09c67288.json index cbca2ad6f8..a222eb2de0 100644 --- a/ics-attack/relationship/relationship--3478c49c-594b-4224-b7f9-2b0b09c67288.json +++ b/ics-attack/relationship/relationship--3478c49c-594b-4224-b7f9-2b0b09c67288.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1eb61b4c-ce30-4588-8a25-a37d43b947b4", + "id": "bundle--088a0c93-6c6b-4d7e-be5b-9454c897a075", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3484426b-33b6-4f9b-9b62-3dd114794848.json b/ics-attack/relationship/relationship--3484426b-33b6-4f9b-9b62-3dd114794848.json new file mode 100644 index 0000000000..b004aaab97 --- /dev/null +++ b/ics-attack/relationship/relationship--3484426b-33b6-4f9b-9b62-3dd114794848.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--49e55da0-f4e6-4630-9e35-deba09b74042", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3484426b-33b6-4f9b-9b62-3dd114794848", + "created": "2026-04-20T20:58:46.793Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:58:46.793Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--34ac1b1b-1103-4fc9-a62e-f1dd1451b28b.json b/ics-attack/relationship/relationship--34ac1b1b-1103-4fc9-a62e-f1dd1451b28b.json index ef4079e89d..afef6e1f11 100644 --- a/ics-attack/relationship/relationship--34ac1b1b-1103-4fc9-a62e-f1dd1451b28b.json +++ b/ics-attack/relationship/relationship--34ac1b1b-1103-4fc9-a62e-f1dd1451b28b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b0897e4d-9899-466f-b247-6409aec6436f", + "id": "bundle--df654914-cfdc-46b6-b730-3192e3349367", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--34cacc74-a461-4ed9-a683-952cbeea6e1d.json b/ics-attack/relationship/relationship--34cacc74-a461-4ed9-a683-952cbeea6e1d.json new file mode 100644 index 0000000000..6aa755dd49 --- /dev/null +++ b/ics-attack/relationship/relationship--34cacc74-a461-4ed9-a683-952cbeea6e1d.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--ba498468-17cf-40a1-bac2-af0b02aa28d3", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--34cacc74-a461-4ed9-a683-952cbeea6e1d", + "created": "2026-04-23T00:36:39.544Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:36:39.544Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033.json b/ics-attack/relationship/relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033.json index 6a3e401cbb..157d3a30cb 100644 --- a/ics-attack/relationship/relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033.json +++ b/ics-attack/relationship/relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--abda8287-cebb-4397-ac03-c64364b34212", + "id": "bundle--6acca155-ebb7-4707-ad01-0be5d9fa4d44", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--206cc4c8-797e-427b-86f1-4c81df391c6e.json b/ics-attack/relationship/relationship--34dcc9e8-a43a-475b-81b6-b15240545075.json similarity index 79% rename from ics-attack/relationship/relationship--206cc4c8-797e-427b-86f1-4c81df391c6e.json rename to ics-attack/relationship/relationship--34dcc9e8-a43a-475b-81b6-b15240545075.json index 3fdf15d973..de10508dbf 100644 --- a/ics-attack/relationship/relationship--206cc4c8-797e-427b-86f1-4c81df391c6e.json +++ b/ics-attack/relationship/relationship--34dcc9e8-a43a-475b-81b6-b15240545075.json @@ -1,24 +1,15 @@ { "type": "bundle", - "id": "bundle--cd12eb86-a2b3-4865-b411-c78244860fde", + "id": "bundle--53ec331a-03be-4811-8e5f-bff11aaf359c", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--206cc4c8-797e-427b-86f1-4c81df391c6e", + "id": "relationship--34dcc9e8-a43a-475b-81b6-b15240545075", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ - { - "source_name": "Karen Scarfone; Paul Hoffman September 2009", - "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", - "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" - }, - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - }, { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", @@ -28,19 +19,29 @@ "source_name": "Dwight Anderson 2014", "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" + }, + { + "source_name": "Karen Scarfone; Paul Hoffman September 2009", + "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", + "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" + }, + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:24:52.265Z", - "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", + "modified": "2026-04-23T19:02:59.357Z", + "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment.(Citation: Karen Scarfone; Paul Hoffman September 2009)(Citation: Keith Stouffer May 2015)(Citation: Department of Homeland Security September 2016)(Citation: Dwight Anderson 2014) \n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--350814da-5c36-42f9-8e58-8f9534e6ce0a.json b/ics-attack/relationship/relationship--350814da-5c36-42f9-8e58-8f9534e6ce0a.json index b0dddb96ab..9b26d34119 100644 --- a/ics-attack/relationship/relationship--350814da-5c36-42f9-8e58-8f9534e6ce0a.json +++ b/ics-attack/relationship/relationship--350814da-5c36-42f9-8e58-8f9534e6ce0a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--114df584-232b-47dd-9fa4-510da036c592", + "id": "bundle--6ed63599-6b02-41a3-ba5b-0942430a2aed", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--350814da-5c36-42f9-8e58-8f9534e6ce0a", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "FireEye TRITON", diff --git a/ics-attack/relationship/relationship--3526acc8-8834-4aaa-87a5-51e587360cf5.json b/ics-attack/relationship/relationship--3526acc8-8834-4aaa-87a5-51e587360cf5.json index 9b5022c46a..11de910e74 100644 --- a/ics-attack/relationship/relationship--3526acc8-8834-4aaa-87a5-51e587360cf5.json +++ b/ics-attack/relationship/relationship--3526acc8-8834-4aaa-87a5-51e587360cf5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5efc21aa-ff55-48d3-8d45-cebb007f7069", + "id": "bundle--405ce1fa-99de-4c65-b583-25c11188a9dc", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--3526acc8-8834-4aaa-87a5-51e587360cf5", "created": "2023-09-29T18:45:47.394Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:52.764Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--352ed52c-88ba-4731-a917-4c33da0f29d4.json b/ics-attack/relationship/relationship--352ed52c-88ba-4731-a917-4c33da0f29d4.json index 2756c8a83e..d0e60d1f16 100644 --- a/ics-attack/relationship/relationship--352ed52c-88ba-4731-a917-4c33da0f29d4.json +++ b/ics-attack/relationship/relationship--352ed52c-88ba-4731-a917-4c33da0f29d4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5183605d-d7fa-44a4-b98f-165f9b353bb0", + "id": "bundle--533ae537-c912-4637-9c24-96ea304419e4", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--352ed52c-88ba-4731-a917-4c33da0f29d4", "created": "2023-09-27T14:44:00.588Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Andy Greenberg June 2017", diff --git a/ics-attack/relationship/relationship--35cf6922-d48f-42ea-b7f5-f0258892bd52.json b/ics-attack/relationship/relationship--35cf6922-d48f-42ea-b7f5-f0258892bd52.json index c3d9ccb311..de3c391a72 100644 --- a/ics-attack/relationship/relationship--35cf6922-d48f-42ea-b7f5-f0258892bd52.json +++ b/ics-attack/relationship/relationship--35cf6922-d48f-42ea-b7f5-f0258892bd52.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ef49bed0-9c6c-470c-abd1-3b049f60cdd2", + "id": "bundle--759b8884-2974-4291-ac31-cbdd84646e25", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--35cf6922-d48f-42ea-b7f5-f0258892bd52", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--35d3a730-4de6-4406-a025-ad29340985c2.json b/ics-attack/relationship/relationship--35d3a730-4de6-4406-a025-ad29340985c2.json index ad31c88807..16e739bc90 100644 --- a/ics-attack/relationship/relationship--35d3a730-4de6-4406-a025-ad29340985c2.json +++ b/ics-attack/relationship/relationship--35d3a730-4de6-4406-a025-ad29340985c2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ca6abb57-6e46-45e8-b5cc-8a2c17974005", + "id": "bundle--f10de146-6fab-44ff-bbeb-4930aa76732d", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--35d3a730-4de6-4406-a025-ad29340985c2", "created": "2025-09-24T18:21:48.981Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--3618a010-b94b-4974-b1be-7630d5c853c1.json b/ics-attack/relationship/relationship--3618a010-b94b-4974-b1be-7630d5c853c1.json index b3ae9e6ae6..549d2a16ea 100644 --- a/ics-attack/relationship/relationship--3618a010-b94b-4974-b1be-7630d5c853c1.json +++ b/ics-attack/relationship/relationship--3618a010-b94b-4974-b1be-7630d5c853c1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e197d7f3-c547-4305-9461-7742f7079790", + "id": "bundle--5c65939e-e275-4029-9203-7649c5298a77", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--3618a010-b94b-4974-b1be-7630d5c853c1", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Robert Falcone, Bryan Lee May 2016", diff --git a/ics-attack/relationship/relationship--3623e266-6de4-4165-b0fb-e9abf0813e5d.json b/ics-attack/relationship/relationship--3623e266-6de4-4165-b0fb-e9abf0813e5d.json new file mode 100644 index 0000000000..4a8bc54ae5 --- /dev/null +++ b/ics-attack/relationship/relationship--3623e266-6de4-4165-b0fb-e9abf0813e5d.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--609d1490-ab6a-4804-b922-f3e9056c2a8e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3623e266-6de4-4165-b0fb-e9abf0813e5d", + "created": "2026-04-22T22:31:00.015Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:31:00.015Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3666c249-26c8-4aad-8dc7-5d07253b1c5c.json b/ics-attack/relationship/relationship--3666c249-26c8-4aad-8dc7-5d07253b1c5c.json index b98c89c0b0..eddcbc6629 100644 --- a/ics-attack/relationship/relationship--3666c249-26c8-4aad-8dc7-5d07253b1c5c.json +++ b/ics-attack/relationship/relationship--3666c249-26c8-4aad-8dc7-5d07253b1c5c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--75cb8e39-dd58-4372-ba6b-f3e50b143312", + "id": "bundle--8b9d8e89-0b0d-47fa-a129-575ad1139bac", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--3666c249-26c8-4aad-8dc7-5d07253b1c5c", "created": "2025-09-29T19:07:15.758Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--366a4cd1-aa95-4985-9d80-b45a2551e298.json b/ics-attack/relationship/relationship--366a4cd1-aa95-4985-9d80-b45a2551e298.json index e43be65a5f..16cfd9100d 100644 --- a/ics-attack/relationship/relationship--366a4cd1-aa95-4985-9d80-b45a2551e298.json +++ b/ics-attack/relationship/relationship--366a4cd1-aa95-4985-9d80-b45a2551e298.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7c8703e3-a170-4dce-8f2b-dc855c45a318", + "id": "bundle--1992d172-4302-47fc-905d-58b959399f73", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3680ab7a-254b-426c-b417-460712c2f357.json b/ics-attack/relationship/relationship--3680ab7a-254b-426c-b417-460712c2f357.json new file mode 100644 index 0000000000..1edca52f7e --- /dev/null +++ b/ics-attack/relationship/relationship--3680ab7a-254b-426c-b417-460712c2f357.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--88ef68ee-c2d1-4339-aea3-3b63da08addc", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3680ab7a-254b-426c-b417-460712c2f357", + "created": "2026-04-22T20:43:20.666Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T16:43:29.753Z", + "description": "Ensure proper network segmentation is followed to protect critical servers and devices.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--368558ce-e8a6-4375-b54f-47c2ab31e38d.json b/ics-attack/relationship/relationship--368558ce-e8a6-4375-b54f-47c2ab31e38d.json index 2c8e138547..484f2feb43 100644 --- a/ics-attack/relationship/relationship--368558ce-e8a6-4375-b54f-47c2ab31e38d.json +++ b/ics-attack/relationship/relationship--368558ce-e8a6-4375-b54f-47c2ab31e38d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--caba9530-2807-409d-9ff4-bc24e1c512d9", + "id": "bundle--419d75f7-730e-409c-b731-e30d4ccbcac2", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--368558ce-e8a6-4375-b54f-47c2ab31e38d", "created": "2023-09-28T20:29:27.153Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:54.072Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--37048032-b41d-47d8-9c73-7b706bef24d1.json b/ics-attack/relationship/relationship--37048032-b41d-47d8-9c73-7b706bef24d1.json index a9f055ca40..65f7740a6d 100644 --- a/ics-attack/relationship/relationship--37048032-b41d-47d8-9c73-7b706bef24d1.json +++ b/ics-attack/relationship/relationship--37048032-b41d-47d8-9c73-7b706bef24d1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3928da44-8cf1-436f-8b16-03312af4e1b4", + "id": "bundle--632a0f05-1380-4037-820f-fafa13b7c871", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--37048032-b41d-47d8-9c73-7b706bef24d1", "created": "2023-09-28T20:27:58.625Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:54.320Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--371fe079-430d-46dc-ad31-a53838fc6c24.json b/ics-attack/relationship/relationship--371fe079-430d-46dc-ad31-a53838fc6c24.json index 0cd3454648..a359e35fb2 100644 --- a/ics-attack/relationship/relationship--371fe079-430d-46dc-ad31-a53838fc6c24.json +++ b/ics-attack/relationship/relationship--371fe079-430d-46dc-ad31-a53838fc6c24.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6cb60c38-41bd-4864-ace2-44d46914cab3", + "id": "bundle--cc0eff50-f136-486c-8e24-f1905a942505", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--371fe079-430d-46dc-ad31-a53838fc6c24", "created": "2025-09-29T19:06:13.410Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--372c2e72-d56a-4501-a3bc-31b6b0c8d0be.json b/ics-attack/relationship/relationship--372c2e72-d56a-4501-a3bc-31b6b0c8d0be.json index 09c8e83bde..383b15e7b8 100644 --- a/ics-attack/relationship/relationship--372c2e72-d56a-4501-a3bc-31b6b0c8d0be.json +++ b/ics-attack/relationship/relationship--372c2e72-d56a-4501-a3bc-31b6b0c8d0be.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dd58f298-1368-477e-9c52-57a2c8df2b5a", + "id": "bundle--95b8703f-5030-4ce6-9c36-3458fdbdbf03", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--372c2e72-d56a-4501-a3bc-31b6b0c8d0be", "created": "2023-09-28T21:13:36.185Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:54.521Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--3731962f-64e7-4750-ac8b-40b97eef8725.json b/ics-attack/relationship/relationship--3731962f-64e7-4750-ac8b-40b97eef8725.json index 942868b312..0a2e819f1a 100644 --- a/ics-attack/relationship/relationship--3731962f-64e7-4750-ac8b-40b97eef8725.json +++ b/ics-attack/relationship/relationship--3731962f-64e7-4750-ac8b-40b97eef8725.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--44b66dee-9e35-455a-8326-1456d9a4ef45", + "id": "bundle--4a916d76-58b4-4266-a0e5-8179a81dc0f6", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--3731962f-64e7-4750-ac8b-40b97eef8725", "created": "2023-09-29T16:41:15.943Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:54.729Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--373627f1-5e68-45ab-b1ac-c063d9585a3e.json b/ics-attack/relationship/relationship--373627f1-5e68-45ab-b1ac-c063d9585a3e.json index 2ce87eb319..b4a66ee3b9 100644 --- a/ics-attack/relationship/relationship--373627f1-5e68-45ab-b1ac-c063d9585a3e.json +++ b/ics-attack/relationship/relationship--373627f1-5e68-45ab-b1ac-c063d9585a3e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--726f0114-01bc-43cb-b698-60175f8e83c1", + "id": "bundle--b8c0f3bf-6961-4cad-918c-2836fa0e9cfb", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--373627f1-5e68-45ab-b1ac-c063d9585a3e", "created": "2025-09-24T17:56:56.872Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--374837a0-6109-4c95-bee6-893b25ac71cf.json b/ics-attack/relationship/relationship--374837a0-6109-4c95-bee6-893b25ac71cf.json index 0d49be30d5..263e397f89 100644 --- a/ics-attack/relationship/relationship--374837a0-6109-4c95-bee6-893b25ac71cf.json +++ b/ics-attack/relationship/relationship--374837a0-6109-4c95-bee6-893b25ac71cf.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8f7aa9d3-6dbf-445a-906b-55e0c6a952cb", + "id": "bundle--d94271f6-36f2-499e-8cb5-73ccd1d332a6", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--374837a0-6109-4c95-bee6-893b25ac71cf", "created": "2023-09-28T21:13:12.715Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:54.931Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--37754ab4-03de-475b-8eb2-4ac3fad63852.json b/ics-attack/relationship/relationship--37754ab4-03de-475b-8eb2-4ac3fad63852.json index f06c61a2b1..7dd4b04ffe 100644 --- a/ics-attack/relationship/relationship--37754ab4-03de-475b-8eb2-4ac3fad63852.json +++ b/ics-attack/relationship/relationship--37754ab4-03de-475b-8eb2-4ac3fad63852.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e30dd655-4563-4ee0-9190-0e42e4b13177", + "id": "bundle--1fb4a44e-7d83-45ef-bae3-93c31ce5ed96", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--37754ab4-03de-475b-8eb2-4ac3fad63852", "created": "2025-09-29T19:06:24.302Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--37aeaf27-6bbe-4949-ba77-37649e38f8b2.json b/ics-attack/relationship/relationship--37aeaf27-6bbe-4949-ba77-37649e38f8b2.json index eb3a3f4c23..e86a4f5f90 100644 --- a/ics-attack/relationship/relationship--37aeaf27-6bbe-4949-ba77-37649e38f8b2.json +++ b/ics-attack/relationship/relationship--37aeaf27-6bbe-4949-ba77-37649e38f8b2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4de2593a-1ef7-49e3-bc2f-cbe31941241c", + "id": "bundle--42fdfa04-2eaa-496e-be8e-a500e50f5a26", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--37aeaf27-6bbe-4949-ba77-37649e38f8b2", "created": "2023-09-29T16:31:46.749Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:55.587Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--788a2994-f3fd-4ac4-9ef3-06a72a4e1631.json b/ics-attack/relationship/relationship--37e1b5d8-c800-4eee-9348-e183cc62d385.json similarity index 71% rename from ics-attack/relationship/relationship--788a2994-f3fd-4ac4-9ef3-06a72a4e1631.json rename to ics-attack/relationship/relationship--37e1b5d8-c800-4eee-9348-e183cc62d385.json index 505fe4a8e0..7360207f82 100644 --- a/ics-attack/relationship/relationship--788a2994-f3fd-4ac4-9ef3-06a72a4e1631.json +++ b/ics-attack/relationship/relationship--37e1b5d8-c800-4eee-9348-e183cc62d385.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--8c62399b-18fd-4394-8b9c-8b5172faa5e6", + "id": "bundle--232656b4-6dd9-40e2-a690-694b4c7cca05", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--788a2994-f3fd-4ac4-9ef3-06a72a4e1631", + "id": "relationship--37e1b5d8-c800-4eee-9348-e183cc62d385", "created": "2023-09-28T21:09:33.225Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:10.979Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "source_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--37f0a727-5b6a-4acc-83fc-e2c13f5acc39.json b/ics-attack/relationship/relationship--37f0a727-5b6a-4acc-83fc-e2c13f5acc39.json new file mode 100644 index 0000000000..247a51a9cf --- /dev/null +++ b/ics-attack/relationship/relationship--37f0a727-5b6a-4acc-83fc-e2c13f5acc39.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--b230dd04-aa7c-4082-9ef8-047f55b97ef6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--37f0a727-5b6a-4acc-83fc-e2c13f5acc39", + "created": "2026-04-22T22:50:35.824Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:50:35.824Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--380ef144-1443-4df1-b7de-a6ed3d66d573.json b/ics-attack/relationship/relationship--380ef144-1443-4df1-b7de-a6ed3d66d573.json new file mode 100644 index 0000000000..fc5aa687d7 --- /dev/null +++ b/ics-attack/relationship/relationship--380ef144-1443-4df1-b7de-a6ed3d66d573.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--a3d644c9-f460-47a1-bf9a-fb596de2a4e6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--380ef144-1443-4df1-b7de-a6ed3d66d573", + "created": "2026-04-22T13:28:38.829Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T13:28:38.829Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3838eb1c-488a-4e73-bc3d-e25cacd6926d.json b/ics-attack/relationship/relationship--3838eb1c-488a-4e73-bc3d-e25cacd6926d.json new file mode 100644 index 0000000000..030f8a28ff --- /dev/null +++ b/ics-attack/relationship/relationship--3838eb1c-488a-4e73-bc3d-e25cacd6926d.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--a3ad3792-7456-4d42-8976-cdaddf1fe4d0", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3838eb1c-488a-4e73-bc3d-e25cacd6926d", + "created": "2026-04-20T20:58:37.797Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:58:37.797Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "target_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--383e242a-72d4-4b40-8905-888595c34919.json b/ics-attack/relationship/relationship--383e242a-72d4-4b40-8905-888595c34919.json index 1b7e4d6132..6fdf81b7d1 100644 --- a/ics-attack/relationship/relationship--383e242a-72d4-4b40-8905-888595c34919.json +++ b/ics-attack/relationship/relationship--383e242a-72d4-4b40-8905-888595c34919.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3250c979-155d-458b-aa96-ef25ab0c9374", + "id": "bundle--02538d14-266a-4507-bb4d-5931a207be4d", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--383e242a-72d4-4b40-8905-888595c34919", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Kelly Jackson Higgins", diff --git a/ics-attack/relationship/relationship--3843dcca-62a2-4224-9241-05f981fa880a.json b/ics-attack/relationship/relationship--3843dcca-62a2-4224-9241-05f981fa880a.json index 3f1bd9aa88..e42f558c0f 100644 --- a/ics-attack/relationship/relationship--3843dcca-62a2-4224-9241-05f981fa880a.json +++ b/ics-attack/relationship/relationship--3843dcca-62a2-4224-9241-05f981fa880a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--06c2c189-ff20-4173-b353-4a5aab79ee84", + "id": "bundle--aeb2f7ad-0c38-4737-b4fe-307935363540", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--3843dcca-62a2-4224-9241-05f981fa880a", "created": "2023-09-28T19:46:23.921Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:56.034Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--387a9ace-17bd-484b-8d54-d3bbc1304c90.json b/ics-attack/relationship/relationship--387a9ace-17bd-484b-8d54-d3bbc1304c90.json new file mode 100644 index 0000000000..7aff6dd41e --- /dev/null +++ b/ics-attack/relationship/relationship--387a9ace-17bd-484b-8d54-d3bbc1304c90.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--141e4ec1-ea36-4202-a512-1042697c2482", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--387a9ace-17bd-484b-8d54-d3bbc1304c90", + "created": "2026-04-22T20:08:53.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T01:12:18.402Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used Advanced Port Scanner and Advanced IP Scanner to conduct remote system discovery activities.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--38bda770-c470-4358-a9ad-a5b39bec026b.json b/ics-attack/relationship/relationship--38bda770-c470-4358-a9ad-a5b39bec026b.json index 3d8a067a11..8f590a5605 100644 --- a/ics-attack/relationship/relationship--38bda770-c470-4358-a9ad-a5b39bec026b.json +++ b/ics-attack/relationship/relationship--38bda770-c470-4358-a9ad-a5b39bec026b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f88b6054-8658-4c04-acb4-d2f7c3fc0e8b", + "id": "bundle--14ac4d4e-38ac-4594-9fbb-f1a1a6a7c2e7", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--38bda770-c470-4358-a9ad-a5b39bec026b", "created": "2023-09-29T16:28:28.550Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:56.485Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--393983b0-aeb0-4cc0-ae77-8180fe9f8f87.json b/ics-attack/relationship/relationship--393983b0-aeb0-4cc0-ae77-8180fe9f8f87.json index ec1a83efdc..651e497906 100644 --- a/ics-attack/relationship/relationship--393983b0-aeb0-4cc0-ae77-8180fe9f8f87.json +++ b/ics-attack/relationship/relationship--393983b0-aeb0-4cc0-ae77-8180fe9f8f87.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b4952f9a-1d30-464a-9672-fc4a3e391ece", + "id": "bundle--68e05651-111f-434e-957c-61d056437fee", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--393983b0-aeb0-4cc0-ae77-8180fe9f8f87", "created": "2025-09-24T18:04:47.207Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--39452123-574f-4f3a-95ec-a90170a3d7eb.json b/ics-attack/relationship/relationship--39452123-574f-4f3a-95ec-a90170a3d7eb.json index 23d70b4356..fd3e1d45a5 100644 --- a/ics-attack/relationship/relationship--39452123-574f-4f3a-95ec-a90170a3d7eb.json +++ b/ics-attack/relationship/relationship--39452123-574f-4f3a-95ec-a90170a3d7eb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b4919d4b-9227-4c22-a8f5-59b05484170b", + "id": "bundle--ee1279d7-8aa8-4437-bb19-9b80559d552e", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--39452123-574f-4f3a-95ec-a90170a3d7eb", "created": "2023-10-02T20:20:44.850Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:56.704Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", diff --git a/ics-attack/relationship/relationship--399126a9-815d-4c3b-9d5e-f57d698ac742.json b/ics-attack/relationship/relationship--399126a9-815d-4c3b-9d5e-f57d698ac742.json index 757cc033b2..85c1386b36 100644 --- a/ics-attack/relationship/relationship--399126a9-815d-4c3b-9d5e-f57d698ac742.json +++ b/ics-attack/relationship/relationship--399126a9-815d-4c3b-9d5e-f57d698ac742.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d9580956-8ae5-4832-af99-620a2cb3a4de", + "id": "bundle--4e7ea520-0a2a-4503-b690-6df565b48bf5", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--399126a9-815d-4c3b-9d5e-f57d698ac742", "created": "2023-09-28T19:40:36.023Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:56.917Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--39dcfc44-5f18-475f-b431-22032a14cbe5.json b/ics-attack/relationship/relationship--39dcfc44-5f18-475f-b431-22032a14cbe5.json new file mode 100644 index 0000000000..59ad5cbc96 --- /dev/null +++ b/ics-attack/relationship/relationship--39dcfc44-5f18-475f-b431-22032a14cbe5.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--82288634-5cb9-432a-a874-11836ddf6c6e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--39dcfc44-5f18-475f-b431-22032a14cbe5", + "created": "2026-04-22T22:52:48.727Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:17:42.859Z", + "description": "Segment operational networks to isolate critical systems and devices that do not require broad network access.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--39e5a489-f557-4130-a285-e0a82f40685c.json b/ics-attack/relationship/relationship--39e5a489-f557-4130-a285-e0a82f40685c.json index db9ac19f41..bd85e535c8 100644 --- a/ics-attack/relationship/relationship--39e5a489-f557-4130-a285-e0a82f40685c.json +++ b/ics-attack/relationship/relationship--39e5a489-f557-4130-a285-e0a82f40685c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f596f14b-2a10-4393-a358-320b613ecc74", + "id": "bundle--313cebc4-f319-4216-b72c-52f4b459d48a", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--39e5a489-f557-4130-a285-e0a82f40685c", "created": "2023-09-28T19:46:38.112Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:57.345Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--39f785a8-4175-4d3c-ba64-e20ad4bc2584.json b/ics-attack/relationship/relationship--39f785a8-4175-4d3c-ba64-e20ad4bc2584.json index ac2307eb4d..6bfc4762d4 100644 --- a/ics-attack/relationship/relationship--39f785a8-4175-4d3c-ba64-e20ad4bc2584.json +++ b/ics-attack/relationship/relationship--39f785a8-4175-4d3c-ba64-e20ad4bc2584.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5cace321-65d1-4e06-85e0-57599b560ae3", + "id": "bundle--7c91ce0a-4e0f-4921-8697-4fec7cad7fb3", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--39f785a8-4175-4d3c-ba64-e20ad4bc2584", "created": "2023-09-28T19:40:21.763Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:57.561Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--3a04717f-b74c-4096-b031-ee7115fdc3c9.json b/ics-attack/relationship/relationship--3a04717f-b74c-4096-b031-ee7115fdc3c9.json index 980fcb2b1d..82d8f5b74e 100644 --- a/ics-attack/relationship/relationship--3a04717f-b74c-4096-b031-ee7115fdc3c9.json +++ b/ics-attack/relationship/relationship--3a04717f-b74c-4096-b031-ee7115fdc3c9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--34b14521-4c69-4032-bafc-9522043b510c", + "id": "bundle--d3b025ca-6260-4b22-9670-15b50d7713bc", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--3a04717f-b74c-4096-b031-ee7115fdc3c9", "created": "2024-03-28T14:29:30.576Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "FireEye TRITON Dec 2017", diff --git a/ics-attack/relationship/relationship--3a20ed21-5e69-4a16-a0e3-bace3eba9974.json b/ics-attack/relationship/relationship--3a20ed21-5e69-4a16-a0e3-bace3eba9974.json index 951f212d84..3fa2dde245 100644 --- a/ics-attack/relationship/relationship--3a20ed21-5e69-4a16-a0e3-bace3eba9974.json +++ b/ics-attack/relationship/relationship--3a20ed21-5e69-4a16-a0e3-bace3eba9974.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--27727a7a-e21a-49e9-a7eb-b4ba5a33fa46", + "id": "bundle--ac981b9b-c901-4184-a9ff-a538585cacf7", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--3a20ed21-5e69-4a16-a0e3-bace3eba9974", "created": "2023-09-29T18:56:47.109Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:58.066Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", diff --git a/ics-attack/relationship/relationship--3a6cd53d-0d4e-4cf8-8edf-f9ebde4faac4.json b/ics-attack/relationship/relationship--3a6cd53d-0d4e-4cf8-8edf-f9ebde4faac4.json index b3d6b3915b..eae878a3cb 100644 --- a/ics-attack/relationship/relationship--3a6cd53d-0d4e-4cf8-8edf-f9ebde4faac4.json +++ b/ics-attack/relationship/relationship--3a6cd53d-0d4e-4cf8-8edf-f9ebde4faac4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--956661f8-efc6-4b13-820b-195fe27a1087", + "id": "bundle--4ac59cb4-92d6-440c-9849-56e1da0299d2", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--3a6cd53d-0d4e-4cf8-8edf-f9ebde4faac4", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--3a76a181-8706-4bc4-9c66-7e809fec44ca.json b/ics-attack/relationship/relationship--3a76a181-8706-4bc4-9c66-7e809fec44ca.json index c170e2388b..f7eae6e36a 100644 --- a/ics-attack/relationship/relationship--3a76a181-8706-4bc4-9c66-7e809fec44ca.json +++ b/ics-attack/relationship/relationship--3a76a181-8706-4bc4-9c66-7e809fec44ca.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2497b756-4afa-4a74-bc0b-bc1a3e4832a6", + "id": "bundle--faf76ef0-f968-409b-88be-c6e4c09903af", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--3a76a181-8706-4bc4-9c66-7e809fec44ca", "created": "2023-09-28T19:44:37.687Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:58.486Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--3a7d1db3-9383-4171-8938-382e9b0375c6.json b/ics-attack/relationship/relationship--3a7d1db3-9383-4171-8938-382e9b0375c6.json index 7c5ba411d1..98c05b9828 100644 --- a/ics-attack/relationship/relationship--3a7d1db3-9383-4171-8938-382e9b0375c6.json +++ b/ics-attack/relationship/relationship--3a7d1db3-9383-4171-8938-382e9b0375c6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3041824f-fbb4-40da-8c60-a7baa2fce516", + "id": "bundle--a9144e20-f35f-4373-91d2-649f94ea8b72", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--3a7d1db3-9383-4171-8938-382e9b0375c6", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", diff --git a/ics-attack/relationship/relationship--3a9a07b5-0db5-40c6-b3e4-d1a006c85726.json b/ics-attack/relationship/relationship--3a9a07b5-0db5-40c6-b3e4-d1a006c85726.json index 39ff1026f8..2e5153577a 100644 --- a/ics-attack/relationship/relationship--3a9a07b5-0db5-40c6-b3e4-d1a006c85726.json +++ b/ics-attack/relationship/relationship--3a9a07b5-0db5-40c6-b3e4-d1a006c85726.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7b75ab24-e5c6-49ce-97f0-aee758103fb3", + "id": "bundle--a207983b-f6fd-4f91-8daf-e31f8cfa5b07", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--67c2be08-d31a-4385-a637-9d1a907c7a26", "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", diff --git a/ics-attack/relationship/relationship--3a9fc435-30b7-4684-a874-026c129aaa79.json b/ics-attack/relationship/relationship--3a9fc435-30b7-4684-a874-026c129aaa79.json index 1012080b76..d7823ea00b 100644 --- a/ics-attack/relationship/relationship--3a9fc435-30b7-4684-a874-026c129aaa79.json +++ b/ics-attack/relationship/relationship--3a9fc435-30b7-4684-a874-026c129aaa79.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9af524e1-3325-46cd-9309-cba7aef7a336", + "id": "bundle--5506a4fa-b7fd-49b2-a423-271390d3984f", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--3a9fc435-30b7-4684-a874-026c129aaa79", "created": "2025-09-24T17:54:22.945Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--3aa2691d-d88d-4467-ae3e-242b3bac22ea.json b/ics-attack/relationship/relationship--3aa2691d-d88d-4467-ae3e-242b3bac22ea.json index 7aebb8a90b..5074501768 100644 --- a/ics-attack/relationship/relationship--3aa2691d-d88d-4467-ae3e-242b3bac22ea.json +++ b/ics-attack/relationship/relationship--3aa2691d-d88d-4467-ae3e-242b3bac22ea.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5c3961a4-c9ad-4c1b-b531-cb4e19edbeaf", + "id": "bundle--dd54973c-a11f-4a03-821e-85d7abb57599", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--3aa2691d-d88d-4467-ae3e-242b3bac22ea", "created": "2023-09-28T21:15:18.036Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:58.913Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--3ab912a4-70aa-45f8-b2ef-57113dde2cfa.json b/ics-attack/relationship/relationship--3ab912a4-70aa-45f8-b2ef-57113dde2cfa.json index 7e8e0f262e..0c65d530d1 100644 --- a/ics-attack/relationship/relationship--3ab912a4-70aa-45f8-b2ef-57113dde2cfa.json +++ b/ics-attack/relationship/relationship--3ab912a4-70aa-45f8-b2ef-57113dde2cfa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--00eb3bee-4a80-403d-aad5-a9fc3e3aa967", + "id": "bundle--97b34632-8057-4f11-a926-5c6daf9467a9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3abaee7a-5d15-4364-9c74-775865a404b4.json b/ics-attack/relationship/relationship--3abaee7a-5d15-4364-9c74-775865a404b4.json new file mode 100644 index 0000000000..67103a9243 --- /dev/null +++ b/ics-attack/relationship/relationship--3abaee7a-5d15-4364-9c74-775865a404b4.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--38d97653-c3b6-47a5-9ef5-1b7985bdeb1b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3abaee7a-5d15-4364-9c74-775865a404b4", + "created": "2026-04-22T20:24:57.226Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:24:57.226Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3ad966be-8cb2-42e6-b696-ef9e3b512e35.json b/ics-attack/relationship/relationship--3ad966be-8cb2-42e6-b696-ef9e3b512e35.json index e2db00f94d..1ce17c888b 100644 --- a/ics-attack/relationship/relationship--3ad966be-8cb2-42e6-b696-ef9e3b512e35.json +++ b/ics-attack/relationship/relationship--3ad966be-8cb2-42e6-b696-ef9e3b512e35.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--61b82696-24c4-40bf-87fd-b3c302968cdf", + "id": "bundle--7db0de8d-1aba-45e8-b5b7-2729997ff23e", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--3ad966be-8cb2-42e6-b696-ef9e3b512e35", "created": "2023-09-28T19:43:15.817Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:59.605Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--3afa12ce-4380-4e66-aa1d-4da20ac9023b.json b/ics-attack/relationship/relationship--3afa12ce-4380-4e66-aa1d-4da20ac9023b.json new file mode 100644 index 0000000000..21f5397f9d --- /dev/null +++ b/ics-attack/relationship/relationship--3afa12ce-4380-4e66-aa1d-4da20ac9023b.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--331653fa-bc1c-4a98-8309-d627ada0ebd4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3afa12ce-4380-4e66-aa1d-4da20ac9023b", + "created": "2026-04-22T22:49:32.456Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:49:32.456Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3b6567a9-6213-4db4-a069-1a86b1098b63.json b/ics-attack/relationship/relationship--3b6567a9-6213-4db4-a069-1a86b1098b63.json index a82bc0e0b0..1f61867514 100644 --- a/ics-attack/relationship/relationship--3b6567a9-6213-4db4-a069-1a86b1098b63.json +++ b/ics-attack/relationship/relationship--3b6567a9-6213-4db4-a069-1a86b1098b63.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c17d850a-d2ff-4f48-a93f-61ab37ebdd57", + "id": "bundle--5a4a3f33-2491-4e3e-84d2-1324a42f8ba6", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--3b6567a9-6213-4db4-a069-1a86b1098b63", "created": "2021-04-13T12:08:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Microsoft Security Response Center August 2017", diff --git a/ics-attack/relationship/relationship--3b7f39cb-0101-49b0-ab02-a5adb1672688.json b/ics-attack/relationship/relationship--3b7f39cb-0101-49b0-ab02-a5adb1672688.json index 4d7ecd7d24..5ca81948c1 100644 --- a/ics-attack/relationship/relationship--3b7f39cb-0101-49b0-ab02-a5adb1672688.json +++ b/ics-attack/relationship/relationship--3b7f39cb-0101-49b0-ab02-a5adb1672688.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--52925590-8f6f-4c36-8180-23ea4a2bb7a8", + "id": "bundle--9dfc3181-eee6-4b79-801d-a9ef10ea880f", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--3b7f39cb-0101-49b0-ab02-a5adb1672688", "created": "2023-09-28T19:53:33.603Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:00.098Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--3b9a4916-78b9-44b3-b0fc-6f167a918d7d.json b/ics-attack/relationship/relationship--3b9a4916-78b9-44b3-b0fc-6f167a918d7d.json new file mode 100644 index 0000000000..aea31b67f4 --- /dev/null +++ b/ics-attack/relationship/relationship--3b9a4916-78b9-44b3-b0fc-6f167a918d7d.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--4c226844-7bec-4ed8-9c11-4d9b143bdf4a", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3b9a4916-78b9-44b3-b0fc-6f167a918d7d", + "created": "2026-04-23T00:40:03.895Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:35:36.183Z", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3bc61c8f-3d04-40bd-8239-a15913056bb2.json b/ics-attack/relationship/relationship--3bc61c8f-3d04-40bd-8239-a15913056bb2.json index d41bc9b275..8696d5f6d0 100644 --- a/ics-attack/relationship/relationship--3bc61c8f-3d04-40bd-8239-a15913056bb2.json +++ b/ics-attack/relationship/relationship--3bc61c8f-3d04-40bd-8239-a15913056bb2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--143f6eb3-05fa-407c-83e7-76b44b237a59", + "id": "bundle--fa49f0ee-0003-44f6-830b-e8972cdde20d", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--3bc61c8f-3d04-40bd-8239-a15913056bb2", "created": "2023-10-02T20:22:15.907Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:00.330Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", diff --git a/ics-attack/relationship/relationship--3be8045a-1f0d-4460-a76b-ae830e74c1e0.json b/ics-attack/relationship/relationship--3be8045a-1f0d-4460-a76b-ae830e74c1e0.json index 6a6298de57..e83b2822d1 100644 --- a/ics-attack/relationship/relationship--3be8045a-1f0d-4460-a76b-ae830e74c1e0.json +++ b/ics-attack/relationship/relationship--3be8045a-1f0d-4460-a76b-ae830e74c1e0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2c79911f-fd7b-4acf-a68e-fd420c393392", + "id": "bundle--8b282488-9dc9-46fc-b5ec-13e55795e6d5", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--3be8045a-1f0d-4460-a76b-ae830e74c1e0", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", diff --git a/ics-attack/relationship/relationship--3c2d1b8a-d092-4a71-a0d4-dc5abff338bc.json b/ics-attack/relationship/relationship--3c2d1b8a-d092-4a71-a0d4-dc5abff338bc.json index f546d3ec6f..86483f1f9d 100644 --- a/ics-attack/relationship/relationship--3c2d1b8a-d092-4a71-a0d4-dc5abff338bc.json +++ b/ics-attack/relationship/relationship--3c2d1b8a-d092-4a71-a0d4-dc5abff338bc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--46a67e31-ccd0-441c-a85e-0ea194158a2e", + "id": "bundle--4051ca0a-4000-450a-a038-a4905880b84b", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--3c2d1b8a-d092-4a71-a0d4-dc5abff338bc", "created": "2025-09-24T18:23:15.201Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--3ce078ca-dad7-477a-8178-f0daf7ee823b.json b/ics-attack/relationship/relationship--3ce078ca-dad7-477a-8178-f0daf7ee823b.json index d7cd4a2e80..447f2d336c 100644 --- a/ics-attack/relationship/relationship--3ce078ca-dad7-477a-8178-f0daf7ee823b.json +++ b/ics-attack/relationship/relationship--3ce078ca-dad7-477a-8178-f0daf7ee823b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cd9df9b4-77fd-492e-8e46-5a2703200c36", + "id": "bundle--0ba4a1b4-c612-4893-b936-74b91ef8cf9a", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--3ce078ca-dad7-477a-8178-f0daf7ee823b", "created": "2025-09-24T18:18:30.255Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--3cf99739-b045-4a83-985d-e9984076b81d.json b/ics-attack/relationship/relationship--3cf99739-b045-4a83-985d-e9984076b81d.json new file mode 100644 index 0000000000..a988acc6a0 --- /dev/null +++ b/ics-attack/relationship/relationship--3cf99739-b045-4a83-985d-e9984076b81d.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--68a13b65-bc09-47e1-a06b-fd0fd7aa7895", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3cf99739-b045-4a83-985d-e9984076b81d", + "created": "2026-04-23T00:04:07.892Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:31:16.927Z", + "description": "ll field controllers should restrict the download of programs, including online edits and program appends, to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a.json b/ics-attack/relationship/relationship--3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a.json index fa202ed84a..e3ce4c9bca 100644 --- a/ics-attack/relationship/relationship--3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a.json +++ b/ics-attack/relationship/relationship--3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2619666a-1130-477f-9fbd-5264fa9467d8", + "id": "bundle--585c46d0-6959-484f-bc42-4bf5d67cef31", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a", "created": "2021-04-13T12:45:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", diff --git a/ics-attack/relationship/relationship--3d3c5d24-be5c-42e8-98ca-3b04382df39a.json b/ics-attack/relationship/relationship--3d3c5d24-be5c-42e8-98ca-3b04382df39a.json index 343a9d69d8..f98ecff21e 100644 --- a/ics-attack/relationship/relationship--3d3c5d24-be5c-42e8-98ca-3b04382df39a.json +++ b/ics-attack/relationship/relationship--3d3c5d24-be5c-42e8-98ca-3b04382df39a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--64249ced-a836-4b80-a178-7c81c8c48988", + "id": "bundle--30f74270-fd9c-4005-9eaa-aa0930cf596c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--3d3c5d24-be5c-42e8-98ca-3b04382df39a", "created": "2023-09-28T21:26:11.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:02.154Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--3d676c1b-2650-4599-8a57-790c55f9977d.json b/ics-attack/relationship/relationship--3d676c1b-2650-4599-8a57-790c55f9977d.json index 3f155a7b1e..325ceac0a2 100644 --- a/ics-attack/relationship/relationship--3d676c1b-2650-4599-8a57-790c55f9977d.json +++ b/ics-attack/relationship/relationship--3d676c1b-2650-4599-8a57-790c55f9977d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d1b61a38-bb08-4303-845b-47e7fd41f9e6", + "id": "bundle--900d38cb-d9fd-47f9-8cf4-26718ae7f096", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3d991288-1770-4211-83dc-441ef9944e0f.json b/ics-attack/relationship/relationship--3d991288-1770-4211-83dc-441ef9944e0f.json new file mode 100644 index 0000000000..ba21a2e864 --- /dev/null +++ b/ics-attack/relationship/relationship--3d991288-1770-4211-83dc-441ef9944e0f.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--607eaaa3-96ec-458d-95f3-729b1a29e36a", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3d991288-1770-4211-83dc-441ef9944e0f", + "created": "2026-04-22T18:56:11.575Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T18:56:11.575Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3db8d8d2-89bb-4241-afeb-9b9332aac78e.json b/ics-attack/relationship/relationship--3db8d8d2-89bb-4241-afeb-9b9332aac78e.json index 4b36540e37..66a5e932bf 100644 --- a/ics-attack/relationship/relationship--3db8d8d2-89bb-4241-afeb-9b9332aac78e.json +++ b/ics-attack/relationship/relationship--3db8d8d2-89bb-4241-afeb-9b9332aac78e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--062580ee-2074-4a38-84dc-52d886cd1b80", + "id": "bundle--b1adba08-d0c2-4f2b-bb2f-77549ca3472a", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--3db8d8d2-89bb-4241-afeb-9b9332aac78e", "created": "2024-03-28T14:31:06.217Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "FireEye TEMP.Veles 2018", diff --git a/ics-attack/relationship/relationship--3dd15958-b159-4d01-b3c2-37bdf9b417b5.json b/ics-attack/relationship/relationship--3dd15958-b159-4d01-b3c2-37bdf9b417b5.json index e62efe9226..7199c7736c 100644 --- a/ics-attack/relationship/relationship--3dd15958-b159-4d01-b3c2-37bdf9b417b5.json +++ b/ics-attack/relationship/relationship--3dd15958-b159-4d01-b3c2-37bdf9b417b5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4c189ed0-c11c-405f-9a72-810af38cbc2a", + "id": "bundle--e05f6b03-4c01-42d5-8c2f-b5a49409a1fa", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--3dd15958-b159-4d01-b3c2-37bdf9b417b5", "created": "2023-09-29T17:05:08.346Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:03.473Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", diff --git a/ics-attack/relationship/relationship--3dd35c9a-146d-4370-80ac-69fed35d81a1.json b/ics-attack/relationship/relationship--3dd35c9a-146d-4370-80ac-69fed35d81a1.json index 28e318325b..ed77932c2a 100644 --- a/ics-attack/relationship/relationship--3dd35c9a-146d-4370-80ac-69fed35d81a1.json +++ b/ics-attack/relationship/relationship--3dd35c9a-146d-4370-80ac-69fed35d81a1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1eca6e6e-1079-4309-899a-28aeb1ae50c5", + "id": "bundle--4047985c-a78d-49c7-bfcf-c0b38a8cd74e", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--3dd35c9a-146d-4370-80ac-69fed35d81a1", "created": "2023-09-29T16:44:16.391Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:03.720Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--3e0c8afc-4c4d-40cc-bb61-f76b3fc1b013.json b/ics-attack/relationship/relationship--3e0c8afc-4c4d-40cc-bb61-f76b3fc1b013.json index 006d6aedab..333525ac31 100644 --- a/ics-attack/relationship/relationship--3e0c8afc-4c4d-40cc-bb61-f76b3fc1b013.json +++ b/ics-attack/relationship/relationship--3e0c8afc-4c4d-40cc-bb61-f76b3fc1b013.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--35a813ed-bb8d-49e1-8d43-01f3c36980f7", + "id": "bundle--4df18a60-53bc-48fc-bfd6-f080a179a6a8", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--3e0c8afc-4c4d-40cc-bb61-f76b3fc1b013", "created": "2025-09-29T19:58:46.808Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--3e1f42f9-2edf-4c32-ac1e-da726b923570.json b/ics-attack/relationship/relationship--3e1f42f9-2edf-4c32-ac1e-da726b923570.json new file mode 100644 index 0000000000..4679fd19b7 --- /dev/null +++ b/ics-attack/relationship/relationship--3e1f42f9-2edf-4c32-ac1e-da726b923570.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--bae0ea81-7044-4a1e-8dfe-b36170e92756", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3e1f42f9-2edf-4c32-ac1e-da726b923570", + "created": "2026-04-23T00:37:08.211Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:37:08.211Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46.json b/ics-attack/relationship/relationship--3e249f0a-5755-4e0f-96ce-f3ce6376fed5.json similarity index 76% rename from ics-attack/relationship/relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46.json rename to ics-attack/relationship/relationship--3e249f0a-5755-4e0f-96ce-f3ce6376fed5.json index 0640744dee..51f299ea5a 100644 --- a/ics-attack/relationship/relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46.json +++ b/ics-attack/relationship/relationship--3e249f0a-5755-4e0f-96ce-f3ce6376fed5.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--0250677b-f71a-4e90-831a-d4e23d12124c", + "id": "bundle--9f1194eb-2874-4394-86eb-aae7576a97b0", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46", + "id": "relationship--3e249f0a-5755-4e0f-96ce-f3ce6376fed5", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "Provide an alternative method for sending critical report messages to operators, this could include using radio/cell communication to obtain messages from field technicians that can locally obtain telemetry and status data.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "target_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3e9093f7-6212-4b34-b22e-4ecabc27c654.json b/ics-attack/relationship/relationship--3e9093f7-6212-4b34-b22e-4ecabc27c654.json new file mode 100644 index 0000000000..735d783033 --- /dev/null +++ b/ics-attack/relationship/relationship--3e9093f7-6212-4b34-b22e-4ecabc27c654.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--9a2ced8e-4988-46bf-8333-cc336ed6d712", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3e9093f7-6212-4b34-b22e-4ecabc27c654", + "created": "2026-04-22T22:34:50.733Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:34:50.733Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3f07067f-0cbc-489c-8722-a33399ebd4f9.json b/ics-attack/relationship/relationship--3f07067f-0cbc-489c-8722-a33399ebd4f9.json index efeed0ed7c..2cbd63c079 100644 --- a/ics-attack/relationship/relationship--3f07067f-0cbc-489c-8722-a33399ebd4f9.json +++ b/ics-attack/relationship/relationship--3f07067f-0cbc-489c-8722-a33399ebd4f9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--331c13fb-df73-41a4-b215-44977c83b7c1", + "id": "bundle--18c45544-f738-4d82-a091-73a940313521", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--3f07067f-0cbc-489c-8722-a33399ebd4f9", "created": "2023-09-29T17:39:42.457Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:04.618Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--3f261739-b6ec-4a86-94a3-146929f9facf.json b/ics-attack/relationship/relationship--3f261739-b6ec-4a86-94a3-146929f9facf.json index dc5c23a1c1..a9fefc16d2 100644 --- a/ics-attack/relationship/relationship--3f261739-b6ec-4a86-94a3-146929f9facf.json +++ b/ics-attack/relationship/relationship--3f261739-b6ec-4a86-94a3-146929f9facf.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1f721771-56e8-4b71-bfba-c6d67c9e1147", + "id": "bundle--7b4b9e7a-c79a-4ab0-9944-a9d0f858670f", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--3f261739-b6ec-4a86-94a3-146929f9facf", "created": "2024-11-20T23:28:20.295Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos FROSTYGOOP 2024", diff --git a/ics-attack/relationship/relationship--3f335e8f-68da-4b06-9d96-f371ddaf23e6.json b/ics-attack/relationship/relationship--3f335e8f-68da-4b06-9d96-f371ddaf23e6.json index 2ac70bdd16..20b331c93f 100644 --- a/ics-attack/relationship/relationship--3f335e8f-68da-4b06-9d96-f371ddaf23e6.json +++ b/ics-attack/relationship/relationship--3f335e8f-68da-4b06-9d96-f371ddaf23e6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b29b1444-a2d6-4c8a-91c3-7fa2b4af6081", + "id": "bundle--b58c5744-043a-48df-b324-14bed571e788", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572.json b/ics-attack/relationship/relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572.json index 525c93d42d..28b82de86a 100644 --- a/ics-attack/relationship/relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572.json +++ b/ics-attack/relationship/relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--44f93d5e-c207-4bb4-a1ce-2bf56c568d76", + "id": "bundle--e9f2d687-5af8-4f5b-8619-2fc97b7efcbf", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell December 2015", diff --git a/ics-attack/relationship/relationship--dd9abe36-1cee-4100-a94f-105d9678fd1f.json b/ics-attack/relationship/relationship--3f9093f6-fb01-45e0-924f-a71a536336b2.json similarity index 71% rename from ics-attack/relationship/relationship--dd9abe36-1cee-4100-a94f-105d9678fd1f.json rename to ics-attack/relationship/relationship--3f9093f6-fb01-45e0-924f-a71a536336b2.json index 1bafd44107..05e07b83b7 100644 --- a/ics-attack/relationship/relationship--dd9abe36-1cee-4100-a94f-105d9678fd1f.json +++ b/ics-attack/relationship/relationship--3f9093f6-fb01-45e0-924f-a71a536336b2.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--f56961e0-823e-4b60-9f6f-ecb01f94eedc", + "id": "bundle--1cc0558c-8e34-45db-adbe-d1bec4ebf8b3", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--dd9abe36-1cee-4100-a94f-105d9678fd1f", + "id": "relationship--3f9093f6-fb01-45e0-924f-a71a536336b2", "created": "2023-09-29T18:06:35.470Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:02.821Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "source_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3f92c11b-f6e2-4c07-9913-9fa7469ba4fe.json b/ics-attack/relationship/relationship--3f92c11b-f6e2-4c07-9913-9fa7469ba4fe.json index 08c31fd70c..e631f1f18d 100644 --- a/ics-attack/relationship/relationship--3f92c11b-f6e2-4c07-9913-9fa7469ba4fe.json +++ b/ics-attack/relationship/relationship--3f92c11b-f6e2-4c07-9913-9fa7469ba4fe.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b38dc017-885f-4210-9f7d-3d1aec909109", + "id": "bundle--7c7c0650-f914-4e01-bcc2-caa72016d86f", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--3f92c11b-f6e2-4c07-9913-9fa7469ba4fe", "created": "2023-09-28T21:17:18.201Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:05.764Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--688d2041-5c8b-47e0-86e1-a8d16134bdb1.json b/ics-attack/relationship/relationship--3f9f3845-33a9-488a-afd7-8db1bb53fe88.json similarity index 71% rename from ics-attack/relationship/relationship--688d2041-5c8b-47e0-86e1-a8d16134bdb1.json rename to ics-attack/relationship/relationship--3f9f3845-33a9-488a-afd7-8db1bb53fe88.json index 3318943168..f08ff4fc3f 100644 --- a/ics-attack/relationship/relationship--688d2041-5c8b-47e0-86e1-a8d16134bdb1.json +++ b/ics-attack/relationship/relationship--3f9f3845-33a9-488a-afd7-8db1bb53fe88.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--0fb13130-6526-42f4-9ed9-66ff59486e03", + "id": "bundle--e616d6a6-ff44-4afc-8c0d-7a7bef4989e6", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--688d2041-5c8b-47e0-86e1-a8d16134bdb1", + "id": "relationship--3f9f3845-33a9-488a-afd7-8db1bb53fe88", "created": "2023-09-28T19:39:25.832Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:52.150Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3fe69c6d-6722-44ad-bab7-e34981d68daa.json b/ics-attack/relationship/relationship--3fe69c6d-6722-44ad-bab7-e34981d68daa.json index 3dcba61a33..5b1adb0356 100644 --- a/ics-attack/relationship/relationship--3fe69c6d-6722-44ad-bab7-e34981d68daa.json +++ b/ics-attack/relationship/relationship--3fe69c6d-6722-44ad-bab7-e34981d68daa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3362647f-85c6-481a-a71d-47c6d4a0f40f", + "id": "bundle--23586081-713e-4db3-b66a-b7ebc8d99966", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--3fe69c6d-6722-44ad-bab7-e34981d68daa", "created": "2023-09-28T20:27:43.727Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:06.232Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--4011b9e8-317f-40b9-bd3c-3fb1e99c6542.json b/ics-attack/relationship/relationship--4011b9e8-317f-40b9-bd3c-3fb1e99c6542.json index 54a04998f2..982a6b56cb 100644 --- a/ics-attack/relationship/relationship--4011b9e8-317f-40b9-bd3c-3fb1e99c6542.json +++ b/ics-attack/relationship/relationship--4011b9e8-317f-40b9-bd3c-3fb1e99c6542.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7494fb76-a410-436c-b757-6d639058a16c", + "id": "bundle--2f536bfe-7459-4495-8991-788da5738940", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--4011b9e8-317f-40b9-bd3c-3fb1e99c6542", "created": "2023-09-29T18:57:32.665Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:06.451Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", diff --git a/ics-attack/relationship/relationship--c2168fe8-be19-4df5-808e-ed87c9c0e1c5.json b/ics-attack/relationship/relationship--40477010-e2db-4e4d-8896-6e401a89ac03.json similarity index 71% rename from ics-attack/relationship/relationship--c2168fe8-be19-4df5-808e-ed87c9c0e1c5.json rename to ics-attack/relationship/relationship--40477010-e2db-4e4d-8896-6e401a89ac03.json index f89f774eed..790c23dca0 100644 --- a/ics-attack/relationship/relationship--c2168fe8-be19-4df5-808e-ed87c9c0e1c5.json +++ b/ics-attack/relationship/relationship--40477010-e2db-4e4d-8896-6e401a89ac03.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--b7cafb59-6f32-4b5f-9c9a-492e2eb081a0", + "id": "bundle--88e4c134-af5b-427c-9053-a9ae28ef6601", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--c2168fe8-be19-4df5-808e-ed87c9c0e1c5", + "id": "relationship--40477010-e2db-4e4d-8896-6e401a89ac03", "created": "2023-09-29T16:28:39.397Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:33.039Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--40479f3e-d4d2-45f8-893f-f8a4fcf1613c.json b/ics-attack/relationship/relationship--40479f3e-d4d2-45f8-893f-f8a4fcf1613c.json index 7e1a1be99b..966b5fd85e 100644 --- a/ics-attack/relationship/relationship--40479f3e-d4d2-45f8-893f-f8a4fcf1613c.json +++ b/ics-attack/relationship/relationship--40479f3e-d4d2-45f8-893f-f8a4fcf1613c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1f006149-a9a3-4e61-b2e2-144417e6d9ac", + "id": "bundle--7fc69507-d62d-4dc9-9166-2b652f7cf6a9", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--40479f3e-d4d2-45f8-893f-f8a4fcf1613c", "created": "2022-09-28T21:16:28.195Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Wylie-22", diff --git a/ics-attack/relationship/relationship--4059da6f-b52b-4265-8bf9-3ad6154dbde4.json b/ics-attack/relationship/relationship--4059da6f-b52b-4265-8bf9-3ad6154dbde4.json index fbe482cbd5..52a13c0203 100644 --- a/ics-attack/relationship/relationship--4059da6f-b52b-4265-8bf9-3ad6154dbde4.json +++ b/ics-attack/relationship/relationship--4059da6f-b52b-4265-8bf9-3ad6154dbde4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b21b546b-f670-4b58-ad71-bde7f676a864", + "id": "bundle--ec6a0f37-8e80-430f-8ee1-0c71c90944ec", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--4059da6f-b52b-4265-8bf9-3ad6154dbde4", "created": "2023-09-29T18:05:42.611Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:06.892Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--4071dca7-2405-4856-8130-44cc1aadded2.json b/ics-attack/relationship/relationship--4071dca7-2405-4856-8130-44cc1aadded2.json new file mode 100644 index 0000000000..e5ccef4af6 --- /dev/null +++ b/ics-attack/relationship/relationship--4071dca7-2405-4856-8130-44cc1aadded2.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--481e5551-71d5-4805-919c-997480aa7de3", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4071dca7-2405-4856-8130-44cc1aadded2", + "created": "2026-04-22T20:39:47.699Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:39:47.699Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--408b2389-3280-46c6-8c94-2579b47b2340.json b/ics-attack/relationship/relationship--408b2389-3280-46c6-8c94-2579b47b2340.json index b313a6fb70..94f055f060 100644 --- a/ics-attack/relationship/relationship--408b2389-3280-46c6-8c94-2579b47b2340.json +++ b/ics-attack/relationship/relationship--408b2389-3280-46c6-8c94-2579b47b2340.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6a0c8b2c-d116-47e8-a049-05704380b659", + "id": "bundle--007e9bfe-3b07-4353-b92f-488180fb836c", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--13412b71-b94e-4aef-912a-44853f8bff05", "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", diff --git a/ics-attack/relationship/relationship--40fdaedd-04b4-42ad-8bea-a0513de65f73.json b/ics-attack/relationship/relationship--40fdaedd-04b4-42ad-8bea-a0513de65f73.json new file mode 100644 index 0000000000..f357e83f60 --- /dev/null +++ b/ics-attack/relationship/relationship--40fdaedd-04b4-42ad-8bea-a0513de65f73.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--77c4b270-1fe1-490e-bd8e-7f750bf609e6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--40fdaedd-04b4-42ad-8bea-a0513de65f73", + "created": "2026-04-22T20:02:08.818Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:01:18.263Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used `netstat` to enumerate network connections on the Mikronika HMI computers.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--413c1c41-6ef9-413b-a75a-e67f1668b3db.json b/ics-attack/relationship/relationship--413c1c41-6ef9-413b-a75a-e67f1668b3db.json index ff958bb4ac..037cc8b19e 100644 --- a/ics-attack/relationship/relationship--413c1c41-6ef9-413b-a75a-e67f1668b3db.json +++ b/ics-attack/relationship/relationship--413c1c41-6ef9-413b-a75a-e67f1668b3db.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6537b62e-e24a-420a-ad6b-c12be8840e3e", + "id": "bundle--c255215f-6031-442c-8af0-8c4a71a23480", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--413c1c41-6ef9-413b-a75a-e67f1668b3db", "created": "2023-09-29T17:04:46.290Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:07.332Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", diff --git a/ics-attack/relationship/relationship--413d5a01-4e80-4d8a-a9ad-9d90792b852a.json b/ics-attack/relationship/relationship--413d5a01-4e80-4d8a-a9ad-9d90792b852a.json new file mode 100644 index 0000000000..a66d92afb8 --- /dev/null +++ b/ics-attack/relationship/relationship--413d5a01-4e80-4d8a-a9ad-9d90792b852a.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--51918fd1-9528-4d97-bb63-0fdc74a1aa05", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--413d5a01-4e80-4d8a-a9ad-9d90792b852a", + "created": "2026-04-22T16:10:04.096Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:10:04.096Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--415b3d09-f30e-4f25-8cae-bbe7fef80275.json b/ics-attack/relationship/relationship--415b3d09-f30e-4f25-8cae-bbe7fef80275.json index 8e8c1150af..d6d6ece5bd 100644 --- a/ics-attack/relationship/relationship--415b3d09-f30e-4f25-8cae-bbe7fef80275.json +++ b/ics-attack/relationship/relationship--415b3d09-f30e-4f25-8cae-bbe7fef80275.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2d4c39d0-4d13-4c98-bbb0-84fc217fd2f2", + "id": "bundle--325aa57b-6398-494b-b742-cc07ce148d44", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--415b3d09-f30e-4f25-8cae-bbe7fef80275", "created": "2025-09-24T18:19:25.233Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--c2484b15-7dd0-4280-8898-a6a7da6f0ca2.json b/ics-attack/relationship/relationship--41856149-91d5-4815-b50f-8eb371ac5ba6.json similarity index 84% rename from ics-attack/relationship/relationship--c2484b15-7dd0-4280-8898-a6a7da6f0ca2.json rename to ics-attack/relationship/relationship--41856149-91d5-4815-b50f-8eb371ac5ba6.json index 930c594ad9..b1b992107a 100644 --- a/ics-attack/relationship/relationship--c2484b15-7dd0-4280-8898-a6a7da6f0ca2.json +++ b/ics-attack/relationship/relationship--41856149-91d5-4815-b50f-8eb371ac5ba6.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--1bc0cdc2-3a91-4803-bb23-7c3c55080fee", + "id": "bundle--488f8b85-c520-4788-82e2-dae3ab727152", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--c2484b15-7dd0-4280-8898-a6a7da6f0ca2", + "id": "relationship--41856149-91d5-4815-b50f-8eb371ac5ba6", "created": "2023-03-10T20:09:49.009Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -23,10 +23,10 @@ "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.(Citation: Marshall Abrams July 2008)", "relationship_type": "uses", "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--41a109dd-11d9-4840-a38b-088fc790f45a.json b/ics-attack/relationship/relationship--41a109dd-11d9-4840-a38b-088fc790f45a.json index 0d29b12585..c55bfb4781 100644 --- a/ics-attack/relationship/relationship--41a109dd-11d9-4840-a38b-088fc790f45a.json +++ b/ics-attack/relationship/relationship--41a109dd-11d9-4840-a38b-088fc790f45a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e20ccae7-4dfd-489f-b8ae-14c96bc75749", + "id": "bundle--b64bb965-7d68-4ca9-b195-ce9c96ee5d3d", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--41a109dd-11d9-4840-a38b-088fc790f45a", "created": "2024-03-25T20:17:27.552Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:07.563Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--41abc220-4ec6-41cc-bb36-37c43341fc41.json b/ics-attack/relationship/relationship--41abc220-4ec6-41cc-bb36-37c43341fc41.json new file mode 100644 index 0000000000..a3277ab94e --- /dev/null +++ b/ics-attack/relationship/relationship--41abc220-4ec6-41cc-bb36-37c43341fc41.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--7dd4466a-24e7-4c09-8138-946dfc54dbd6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--41abc220-4ec6-41cc-bb36-37c43341fc41", + "created": "2026-04-22T16:07:47.332Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:08:24.985Z", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.(Citation: Department of Homeland Security September 2016)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a.json b/ics-attack/relationship/relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a.json index 6319e03609..65d41007b1 100644 --- a/ics-attack/relationship/relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a.json +++ b/ics-attack/relationship/relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7d9018f9-6868-41ba-b135-105599043b83", + "id": "bundle--0ecb8819-01e0-4ae2-b386-62c56f6dd4c1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--41dbf626-b968-4b51-9f7d-aaea14d39b4d.json b/ics-attack/relationship/relationship--41dbf626-b968-4b51-9f7d-aaea14d39b4d.json index ad7c6e9d84..0fac962f70 100644 --- a/ics-attack/relationship/relationship--41dbf626-b968-4b51-9f7d-aaea14d39b4d.json +++ b/ics-attack/relationship/relationship--41dbf626-b968-4b51-9f7d-aaea14d39b4d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--098c0afb-8bbe-4bb4-a73b-8f1f6be4588c", + "id": "bundle--c88e1e0e-6bee-440b-b86e-7a42223179d8", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--41dbf626-b968-4b51-9f7d-aaea14d39b4d", "created": "2023-09-28T19:58:43.542Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:08.191Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--4211c12a-57cf-4ebb-910a-6af7aa09cf34.json b/ics-attack/relationship/relationship--4211c12a-57cf-4ebb-910a-6af7aa09cf34.json index eeca6e6302..fb1ca034d8 100644 --- a/ics-attack/relationship/relationship--4211c12a-57cf-4ebb-910a-6af7aa09cf34.json +++ b/ics-attack/relationship/relationship--4211c12a-57cf-4ebb-910a-6af7aa09cf34.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--20dd118a-0b71-4a4b-9119-6c5cbbcb6c49", + "id": "bundle--d3c964b3-8425-4d7a-91b2-3e62c30c45f5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--423271c0-04dc-42d0-8e27-fb0b6067e096.json b/ics-attack/relationship/relationship--423271c0-04dc-42d0-8e27-fb0b6067e096.json index 5e17171fc6..e69ad4cdba 100644 --- a/ics-attack/relationship/relationship--423271c0-04dc-42d0-8e27-fb0b6067e096.json +++ b/ics-attack/relationship/relationship--423271c0-04dc-42d0-8e27-fb0b6067e096.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bb904dad-5e23-4cce-bf84-10b5726e62a8", + "id": "bundle--4bc5c7f9-cd6b-45a2-9367-e79c5b3cfd58", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--423271c0-04dc-42d0-8e27-fb0b6067e096", "created": "2023-09-27T14:59:43.382Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", diff --git a/ics-attack/relationship/relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1.json b/ics-attack/relationship/relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1.json index da42e4d654..9a5f09d50b 100644 --- a/ics-attack/relationship/relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1.json +++ b/ics-attack/relationship/relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a72b6974-6a1b-4504-be36-2d560b5c4910", + "id": "bundle--461b807c-cc3f-44ae-91fa-228b2395271d", "spec_version": "2.0", "objects": [ { @@ -8,6 +8,7 @@ "id": "relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "Department of Homeland Security September 2016", @@ -18,14 +19,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:25:16.596Z", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "modified": "2026-04-23T20:03:39.304Z", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.(Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--42577e40-8a29-461b-aeb6-232f4b04d76a.json b/ics-attack/relationship/relationship--42577e40-8a29-461b-aeb6-232f4b04d76a.json index 0687bf2af3..a7b24d2a30 100644 --- a/ics-attack/relationship/relationship--42577e40-8a29-461b-aeb6-232f4b04d76a.json +++ b/ics-attack/relationship/relationship--42577e40-8a29-461b-aeb6-232f4b04d76a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d07045f0-ff78-4b24-a377-7f51a4cb2b3d", + "id": "bundle--f004b365-4b27-4b0a-91a2-532988c24d94", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--42577e40-8a29-461b-aeb6-232f4b04d76a", "created": "2025-09-24T17:55:49.673Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--42ab7d24-8286-4a7a-8cd7-02e54a80e13f.json b/ics-attack/relationship/relationship--42ab7d24-8286-4a7a-8cd7-02e54a80e13f.json index 62aabfc98e..fb38f11bba 100644 --- a/ics-attack/relationship/relationship--42ab7d24-8286-4a7a-8cd7-02e54a80e13f.json +++ b/ics-attack/relationship/relationship--42ab7d24-8286-4a7a-8cd7-02e54a80e13f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bc6ed19f-6be5-4a85-a0fe-e620a041ed6d", + "id": "bundle--ecb89498-c4fc-4961-8a8b-196028a0f565", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8f947e00-2579-4120-a8b0-d466e59fac1a.json b/ics-attack/relationship/relationship--4302566f-0eee-43a2-b40d-658e7cc0a57b.json similarity index 71% rename from ics-attack/relationship/relationship--8f947e00-2579-4120-a8b0-d466e59fac1a.json rename to ics-attack/relationship/relationship--4302566f-0eee-43a2-b40d-658e7cc0a57b.json index b77abae436..bd9326d07f 100644 --- a/ics-attack/relationship/relationship--8f947e00-2579-4120-a8b0-d466e59fac1a.json +++ b/ics-attack/relationship/relationship--4302566f-0eee-43a2-b40d-658e7cc0a57b.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--fbf8b51b-7ce5-432c-89db-ab7a059e26d5", + "id": "bundle--7b6bd266-bf91-48fd-af1e-f48279a6ebb6", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--8f947e00-2579-4120-a8b0-d466e59fac1a", + "id": "relationship--4302566f-0eee-43a2-b40d-658e7cc0a57b", "created": "2023-09-28T19:49:25.824Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:38.068Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "source_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--432b2dc0-52ff-488f-a5e9-c1e510fc7a0b.json b/ics-attack/relationship/relationship--432b2dc0-52ff-488f-a5e9-c1e510fc7a0b.json index 38665fa442..9430524dc9 100644 --- a/ics-attack/relationship/relationship--432b2dc0-52ff-488f-a5e9-c1e510fc7a0b.json +++ b/ics-attack/relationship/relationship--432b2dc0-52ff-488f-a5e9-c1e510fc7a0b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--18a0c84c-db8b-4005-89fd-9416ba7644d9", + "id": "bundle--011d6fd3-35a5-4c86-b799-ee8f111f88eb", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--432b2dc0-52ff-488f-a5e9-c1e510fc7a0b", "created": "2023-09-28T19:58:54.450Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:09.477Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--43344cd7-5004-4dac-8b62-8899105fa265.json b/ics-attack/relationship/relationship--43344cd7-5004-4dac-8b62-8899105fa265.json index ac0bda855d..f3529bd059 100644 --- a/ics-attack/relationship/relationship--43344cd7-5004-4dac-8b62-8899105fa265.json +++ b/ics-attack/relationship/relationship--43344cd7-5004-4dac-8b62-8899105fa265.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2bf7bee1-42b4-4314-b32b-657d55bb5d12", + "id": "bundle--00a323b2-fa13-4d42-9d74-f392ecdc32fd", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--43344cd7-5004-4dac-8b62-8899105fa265", "created": "2023-09-29T18:47:20.334Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:09.681Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--433539bf-cb17-4de1-9c0f-e579b041514f.json b/ics-attack/relationship/relationship--433539bf-cb17-4de1-9c0f-e579b041514f.json index 0169079466..e5a4ec3060 100644 --- a/ics-attack/relationship/relationship--433539bf-cb17-4de1-9c0f-e579b041514f.json +++ b/ics-attack/relationship/relationship--433539bf-cb17-4de1-9c0f-e579b041514f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9dc14de2-4e8c-4831-8b83-0ef436b67170", + "id": "bundle--2bdbb5e2-e02b-41a5-87c4-3768d51411da", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--433539bf-cb17-4de1-9c0f-e579b041514f", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos Inc. June 2017", diff --git a/ics-attack/relationship/relationship--4369da69-bb09-4cc8-8600-081a450f50e0.json b/ics-attack/relationship/relationship--4369da69-bb09-4cc8-8600-081a450f50e0.json index 03ee9ede1e..100a0d6349 100644 --- a/ics-attack/relationship/relationship--4369da69-bb09-4cc8-8600-081a450f50e0.json +++ b/ics-attack/relationship/relationship--4369da69-bb09-4cc8-8600-081a450f50e0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0d877543-1362-4c52-b692-b28f114d66ba", + "id": "bundle--d77d1424-a3f8-4f2a-bf09-cfd72fae2892", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--4387dbb0-8602-4485-ab55-2ed63d8b1622.json b/ics-attack/relationship/relationship--4387dbb0-8602-4485-ab55-2ed63d8b1622.json index 769657bdda..a05ff3ed7a 100644 --- a/ics-attack/relationship/relationship--4387dbb0-8602-4485-ab55-2ed63d8b1622.json +++ b/ics-attack/relationship/relationship--4387dbb0-8602-4485-ab55-2ed63d8b1622.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2ec23ffb-4a4d-4167-8cca-9275641cc2ee", + "id": "bundle--0c133473-6016-4f1a-aea3-a74bf918afdb", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--4387dbb0-8602-4485-ab55-2ed63d8b1622", "created": "2025-09-29T19:05:01.891Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--43ab749c-d449-4fca-a14b-0f3a991fcdcc.json b/ics-attack/relationship/relationship--43ab749c-d449-4fca-a14b-0f3a991fcdcc.json index 1c35035cb0..066a5d8be9 100644 --- a/ics-attack/relationship/relationship--43ab749c-d449-4fca-a14b-0f3a991fcdcc.json +++ b/ics-attack/relationship/relationship--43ab749c-d449-4fca-a14b-0f3a991fcdcc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--85e4f7ae-1074-4ebf-9be0-8d8a48f619f7", + "id": "bundle--31f9b1f1-92c1-48ae-8901-3d573ab5cfea", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--43ab749c-d449-4fca-a14b-0f3a991fcdcc", "created": "2025-09-24T18:15:06.489Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--43aecac8-9920-4cbf-bdd0-6a204cb64942.json b/ics-attack/relationship/relationship--43aecac8-9920-4cbf-bdd0-6a204cb64942.json new file mode 100644 index 0000000000..4f3e2ae6fb --- /dev/null +++ b/ics-attack/relationship/relationship--43aecac8-9920-4cbf-bdd0-6a204cb64942.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--60e8ff86-9076-4017-82b2-1f652c4d06f8", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--43aecac8-9920-4cbf-bdd0-6a204cb64942", + "created": "2026-04-22T13:26:48.062Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T13:26:48.062Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--43b11545-3b70-4284-a369-bed7a0de4fd0.json b/ics-attack/relationship/relationship--43b11545-3b70-4284-a369-bed7a0de4fd0.json index 63339dc05c..354d9add0c 100644 --- a/ics-attack/relationship/relationship--43b11545-3b70-4284-a369-bed7a0de4fd0.json +++ b/ics-attack/relationship/relationship--43b11545-3b70-4284-a369-bed7a0de4fd0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4e56bf5f-4590-4250-81a6-0f34b93cdfa0", + "id": "bundle--42e33625-21a0-42a4-b2db-da0e3a52cf56", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--43b11545-3b70-4284-a369-bed7a0de4fd0", "created": "2024-03-27T19:52:07.502Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Mandiant-Sandworm-Ukraine-2022", diff --git a/ics-attack/relationship/relationship--43d9821c-13ba-4009-b58b-a073918b780f.json b/ics-attack/relationship/relationship--43d9821c-13ba-4009-b58b-a073918b780f.json index 20d8eee395..ba3f2f357c 100644 --- a/ics-attack/relationship/relationship--43d9821c-13ba-4009-b58b-a073918b780f.json +++ b/ics-attack/relationship/relationship--43d9821c-13ba-4009-b58b-a073918b780f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--13396721-964f-46ca-900d-5c99a40ff913", + "id": "bundle--83a06ca1-652b-47aa-9863-f8dd1e0033ba", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--43d9821c-13ba-4009-b58b-a073918b780f", "created": "2025-09-29T19:57:56.590Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--43e7ed35-4038-4bc3-82bb-d5ff337b368a.json b/ics-attack/relationship/relationship--43e7ed35-4038-4bc3-82bb-d5ff337b368a.json index ba75a51553..7fb2209c78 100644 --- a/ics-attack/relationship/relationship--43e7ed35-4038-4bc3-82bb-d5ff337b368a.json +++ b/ics-attack/relationship/relationship--43e7ed35-4038-4bc3-82bb-d5ff337b368a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f311c4cb-b544-43e5-a24f-c3df5cf34462", + "id": "bundle--e6cdd128-5453-4957-9a0e-0ac41585f764", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--43e7ed35-4038-4bc3-82bb-d5ff337b368a", "created": "2025-09-24T18:23:02.137Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--446c95ea-5178-4ae9-8f92-cb20dd50f7de.json b/ics-attack/relationship/relationship--446c95ea-5178-4ae9-8f92-cb20dd50f7de.json index 320d74772c..9e80eb1311 100644 --- a/ics-attack/relationship/relationship--446c95ea-5178-4ae9-8f92-cb20dd50f7de.json +++ b/ics-attack/relationship/relationship--446c95ea-5178-4ae9-8f92-cb20dd50f7de.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6e830f3d-7e05-4cf2-9c72-6d5ba243fdc8", + "id": "bundle--83c1da60-321c-46b8-839b-05b5fdc02ecd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--44c857cf-7a4e-405a-87ca-7f6d79000589.json b/ics-attack/relationship/relationship--44c857cf-7a4e-405a-87ca-7f6d79000589.json index f4c834ae6f..06837584a3 100644 --- a/ics-attack/relationship/relationship--44c857cf-7a4e-405a-87ca-7f6d79000589.json +++ b/ics-attack/relationship/relationship--44c857cf-7a4e-405a-87ca-7f6d79000589.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1bf3f140-0f66-44e8-b7bc-8861e707f37a", + "id": "bundle--cc3be520-85c0-422c-8d26-313896a334e9", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--44c857cf-7a4e-405a-87ca-7f6d79000589", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Department of Homeland Security October 2009", diff --git a/ics-attack/relationship/relationship--44dd2e01-9aca-44c4-bfb8-05d16c928793.json b/ics-attack/relationship/relationship--44dd2e01-9aca-44c4-bfb8-05d16c928793.json index 416896a635..e17b54075c 100644 --- a/ics-attack/relationship/relationship--44dd2e01-9aca-44c4-bfb8-05d16c928793.json +++ b/ics-attack/relationship/relationship--44dd2e01-9aca-44c4-bfb8-05d16c928793.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8e323fef-9b22-439d-baa2-95a1ff1de8d4", + "id": "bundle--df836a56-17f3-458c-800e-cab4ed7143f0", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--a995ba7c-c2c2-4d74-a3da-74e5a192099b", "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", diff --git a/ics-attack/relationship/relationship--afe18ec4-b5b8-43f7-b9e9-64a579b4b4e1.json b/ics-attack/relationship/relationship--44e0627e-d100-4e11-adab-4ff093e6031e.json similarity index 71% rename from ics-attack/relationship/relationship--afe18ec4-b5b8-43f7-b9e9-64a579b4b4e1.json rename to ics-attack/relationship/relationship--44e0627e-d100-4e11-adab-4ff093e6031e.json index dece9f1015..8a02a277a7 100644 --- a/ics-attack/relationship/relationship--afe18ec4-b5b8-43f7-b9e9-64a579b4b4e1.json +++ b/ics-attack/relationship/relationship--44e0627e-d100-4e11-adab-4ff093e6031e.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--9079b4cf-388f-489b-8fec-8657963fbc6d", + "id": "bundle--40f72cbe-625b-4888-a2da-e859d9584e82", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--afe18ec4-b5b8-43f7-b9e9-64a579b4b4e1", + "id": "relationship--44e0627e-d100-4e11-adab-4ff093e6031e", "created": "2023-09-29T17:37:41.336Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:11.313Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "source_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--4560f607-106b-4546-8f58-bd45c2a5c5f8.json b/ics-attack/relationship/relationship--4560f607-106b-4546-8f58-bd45c2a5c5f8.json new file mode 100644 index 0000000000..8cc4707cd3 --- /dev/null +++ b/ics-attack/relationship/relationship--4560f607-106b-4546-8f58-bd45c2a5c5f8.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--cef54353-a740-45b8-af93-a5faea6f9757", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4560f607-106b-4546-8f58-bd45c2a5c5f8", + "created": "2026-04-22T22:36:45.186Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:36:45.186Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--456ff399-4925-45d4-aa84-d930eae5348e.json b/ics-attack/relationship/relationship--456ff399-4925-45d4-aa84-d930eae5348e.json index 7b9ead8dcd..ec4a58263c 100644 --- a/ics-attack/relationship/relationship--456ff399-4925-45d4-aa84-d930eae5348e.json +++ b/ics-attack/relationship/relationship--456ff399-4925-45d4-aa84-d930eae5348e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a789e882-dc53-4a6b-b7c8-bc2e72476202", + "id": "bundle--7a0c550e-fc11-4f17-8f4c-8f86649f810c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--456ff399-4925-45d4-aa84-d930eae5348e", "created": "2023-09-28T20:26:47.786Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:11.878Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--45aae58e-1d09-49de-b4c2-837c6f1d5d8f.json b/ics-attack/relationship/relationship--45aae58e-1d09-49de-b4c2-837c6f1d5d8f.json index b80208b887..2e67d2fddc 100644 --- a/ics-attack/relationship/relationship--45aae58e-1d09-49de-b4c2-837c6f1d5d8f.json +++ b/ics-attack/relationship/relationship--45aae58e-1d09-49de-b4c2-837c6f1d5d8f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b2c060ab-da19-49d7-9f42-c2d14b5ddc60", + "id": "bundle--18d430d1-aa3a-4d82-b64c-286c58278486", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--45aae58e-1d09-49de-b4c2-837c6f1d5d8f", "created": "2023-10-02T20:22:02.539Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:12.094Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", diff --git a/ics-attack/relationship/relationship--45d14170-7f7b-4e08-b53f-42fa4a3a04d9.json b/ics-attack/relationship/relationship--45d14170-7f7b-4e08-b53f-42fa4a3a04d9.json index b0f7c83383..7e5084b128 100644 --- a/ics-attack/relationship/relationship--45d14170-7f7b-4e08-b53f-42fa4a3a04d9.json +++ b/ics-attack/relationship/relationship--45d14170-7f7b-4e08-b53f-42fa4a3a04d9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f169abd2-9df5-48a6-b3e8-435412ba76b5", + "id": "bundle--62c22c7d-d2bc-4bf0-94fe-dc235ebe9ce5", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--45d14170-7f7b-4e08-b53f-42fa4a3a04d9", "created": "2023-09-28T20:15:32.382Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:12.313Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--45ee1822-71e4-4d92-976d-306561b70555.json b/ics-attack/relationship/relationship--45ee1822-71e4-4d92-976d-306561b70555.json index d6d9878cfd..b9be0feed5 100644 --- a/ics-attack/relationship/relationship--45ee1822-71e4-4d92-976d-306561b70555.json +++ b/ics-attack/relationship/relationship--45ee1822-71e4-4d92-976d-306561b70555.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b578e6b8-65e7-4c1a-ab6c-33972789c4c7", + "id": "bundle--01a1e45a-cb2f-4363-a247-9b5616b038a0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--461e81a2-c7ad-499e-908d-05ef2f7bd9cd.json b/ics-attack/relationship/relationship--461e81a2-c7ad-499e-908d-05ef2f7bd9cd.json index d312bee71c..ccfc5829b9 100644 --- a/ics-attack/relationship/relationship--461e81a2-c7ad-499e-908d-05ef2f7bd9cd.json +++ b/ics-attack/relationship/relationship--461e81a2-c7ad-499e-908d-05ef2f7bd9cd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--27f15bc4-3bce-4b5d-9cda-c1b4a598f620", + "id": "bundle--21092bac-5bc3-4b80-a820-fff84a4d1ed3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--4653847b-c089-4435-9159-6f76353833f7.json b/ics-attack/relationship/relationship--4653847b-c089-4435-9159-6f76353833f7.json index 9ffbb7a385..3cd8be9253 100644 --- a/ics-attack/relationship/relationship--4653847b-c089-4435-9159-6f76353833f7.json +++ b/ics-attack/relationship/relationship--4653847b-c089-4435-9159-6f76353833f7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--17ca7f8f-1ab1-41ad-9d80-902ea1eb2475", + "id": "bundle--054721fb-205e-424f-86e4-ee12c4a7cfb2", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--4653847b-c089-4435-9159-6f76353833f7", "created": "2023-09-25T20:43:22.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--46690df4-ddac-4ed4-8987-8706ae68a0cf.json b/ics-attack/relationship/relationship--46690df4-ddac-4ed4-8987-8706ae68a0cf.json index a82e35c3a5..3e264190b1 100644 --- a/ics-attack/relationship/relationship--46690df4-ddac-4ed4-8987-8706ae68a0cf.json +++ b/ics-attack/relationship/relationship--46690df4-ddac-4ed4-8987-8706ae68a0cf.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4cd0ec68-77e7-486f-95af-7696fc4446e3", + "id": "bundle--dc9aea08-b6a7-4cc1-9890-37c63d8a7eaa", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--46690df4-ddac-4ed4-8987-8706ae68a0cf", "created": "2023-09-29T16:42:20.944Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:13.639Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--46798892-d849-43fe-8147-b40cc9da291e.json b/ics-attack/relationship/relationship--46798892-d849-43fe-8147-b40cc9da291e.json index 16db77dde2..71cba2dcd4 100644 --- a/ics-attack/relationship/relationship--46798892-d849-43fe-8147-b40cc9da291e.json +++ b/ics-attack/relationship/relationship--46798892-d849-43fe-8147-b40cc9da291e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4516032d-6dd4-4773-ae5b-30dd8b401ea5", + "id": "bundle--ca6dd2d2-4aa2-4060-92bc-1ce2df8ec3e7", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--46798892-d849-43fe-8147-b40cc9da291e", "created": "2023-09-28T19:42:29.359Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:13.854Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--46bc86e4-e20b-4778-80d2-8891039e6fb4.json b/ics-attack/relationship/relationship--46bc86e4-e20b-4778-80d2-8891039e6fb4.json index ea5f601605..c7c1a1f5ce 100644 --- a/ics-attack/relationship/relationship--46bc86e4-e20b-4778-80d2-8891039e6fb4.json +++ b/ics-attack/relationship/relationship--46bc86e4-e20b-4778-80d2-8891039e6fb4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1c9f18b2-2bff-4cc0-aceb-4911957e9536", + "id": "bundle--5708320b-60c2-430f-842a-51944bbbdb2d", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--46bc86e4-e20b-4778-80d2-8891039e6fb4", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Hydro", diff --git a/ics-attack/relationship/relationship--46e4cdd2-e8f0-46aa-9264-868815a05af9.json b/ics-attack/relationship/relationship--46e4cdd2-e8f0-46aa-9264-868815a05af9.json index 1e213d08bf..b6837d1295 100644 --- a/ics-attack/relationship/relationship--46e4cdd2-e8f0-46aa-9264-868815a05af9.json +++ b/ics-attack/relationship/relationship--46e4cdd2-e8f0-46aa-9264-868815a05af9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c9532342-2b4f-4da0-96e4-5bae6352962c", + "id": "bundle--c582a8e5-762e-493f-bf38-5554095f2784", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--46e4cdd2-e8f0-46aa-9264-868815a05af9", "created": "2024-03-25T20:17:59.424Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:14.277Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--4768c731-3be9-44b8-a217-dfbececa57d9.json b/ics-attack/relationship/relationship--4768c731-3be9-44b8-a217-dfbececa57d9.json index bf42dcf379..08751e98fc 100644 --- a/ics-attack/relationship/relationship--4768c731-3be9-44b8-a217-dfbececa57d9.json +++ b/ics-attack/relationship/relationship--4768c731-3be9-44b8-a217-dfbececa57d9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8846a394-e9a4-49c3-b3bf-91ddf7396592", + "id": "bundle--a258cef2-2a93-453c-a8ed-a19bbdf8ad47", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--4768c731-3be9-44b8-a217-dfbececa57d9", "created": "2023-09-29T18:06:22.868Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:14.477Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--476fdcf2-0b39-4ddc-9744-ef54d3b9efb8.json b/ics-attack/relationship/relationship--476fdcf2-0b39-4ddc-9744-ef54d3b9efb8.json index ad02db3507..59edc03de7 100644 --- a/ics-attack/relationship/relationship--476fdcf2-0b39-4ddc-9744-ef54d3b9efb8.json +++ b/ics-attack/relationship/relationship--476fdcf2-0b39-4ddc-9744-ef54d3b9efb8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fe746746-85cf-478a-9077-a08124e7e14b", + "id": "bundle--b400b314-2ac6-4bcf-b3cb-fa4705134815", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--6f921aa8-deb3-4286-8101-26a7cbe80c0e", "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", diff --git a/ics-attack/relationship/relationship--47b1bc70-9fe4-4a6f-a137-f51db24566da.json b/ics-attack/relationship/relationship--47b1bc70-9fe4-4a6f-a137-f51db24566da.json index 6daa2a7939..b318a53f6d 100644 --- a/ics-attack/relationship/relationship--47b1bc70-9fe4-4a6f-a137-f51db24566da.json +++ b/ics-attack/relationship/relationship--47b1bc70-9fe4-4a6f-a137-f51db24566da.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e225e44d-2d42-49cb-a8df-3b5cabfc227a", + "id": "bundle--fc1811e6-3c04-4c4b-ad29-858385624f9f", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--bbb288c7-9e40-46bd-b0a1-db4cfef4e1ee", "target_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", diff --git a/ics-attack/relationship/relationship--47f15a06-8675-4698-833d-bd141ed9e755.json b/ics-attack/relationship/relationship--47f15a06-8675-4698-833d-bd141ed9e755.json index e4a829c27a..e2af04bcf1 100644 --- a/ics-attack/relationship/relationship--47f15a06-8675-4698-833d-bd141ed9e755.json +++ b/ics-attack/relationship/relationship--47f15a06-8675-4698-833d-bd141ed9e755.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5ab222bc-85ea-425a-9f73-97b9d8c15a10", + "id": "bundle--39c18a25-0f4f-4554-a331-96a396412fe9", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--47f15a06-8675-4698-833d-bd141ed9e755", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Microsoft Security Response Center August 2017", diff --git a/ics-attack/relationship/relationship--484b0873-59ef-41a3-b33d-b3fb41a2c957.json b/ics-attack/relationship/relationship--484b0873-59ef-41a3-b33d-b3fb41a2c957.json index 8dd2de4cb6..71de59c87e 100644 --- a/ics-attack/relationship/relationship--484b0873-59ef-41a3-b33d-b3fb41a2c957.json +++ b/ics-attack/relationship/relationship--484b0873-59ef-41a3-b33d-b3fb41a2c957.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--05f7884f-63d0-4cb7-9313-61918ebaed09", + "id": "bundle--be11c7dc-da32-41ad-91cc-1ca1087aa18a", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--484b0873-59ef-41a3-b33d-b3fb41a2c957", "created": "2024-04-09T20:50:34.946Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:15.592Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--48e142d5-ebfe-4950-8704-409c6b92f693.json b/ics-attack/relationship/relationship--48e142d5-ebfe-4950-8704-409c6b92f693.json new file mode 100644 index 0000000000..44f22d8adf --- /dev/null +++ b/ics-attack/relationship/relationship--48e142d5-ebfe-4950-8704-409c6b92f693.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--b63e2bd5-d4aa-4c18-904e-263c9f138367", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--48e142d5-ebfe-4950-8704-409c6b92f693", + "created": "2026-04-20T20:54:22.411Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:22.411Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", + "target_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--490c0435-b918-4843-bee1-0584f8092ce4.json b/ics-attack/relationship/relationship--490c0435-b918-4843-bee1-0584f8092ce4.json new file mode 100644 index 0000000000..e4d17e7886 --- /dev/null +++ b/ics-attack/relationship/relationship--490c0435-b918-4843-bee1-0584f8092ce4.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--718579e2-5f18-483c-b13f-cadbcb0b5d78", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--490c0435-b918-4843-bee1-0584f8092ce4", + "created": "2026-04-23T16:34:50.702Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T16:34:50.702Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3.json b/ics-attack/relationship/relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3.json index 4b80661817..d64d048570 100644 --- a/ics-attack/relationship/relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3.json +++ b/ics-attack/relationship/relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--75507462-074e-46fe-93f8-05f453386cc5", + "id": "bundle--a7091560-8c1a-4232-a677-0b85a61651c8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--49242ea8-4813-49f7-8bd4-9668216cceeb.json b/ics-attack/relationship/relationship--49242ea8-4813-49f7-8bd4-9668216cceeb.json index 8094333a2c..39d8716d3d 100644 --- a/ics-attack/relationship/relationship--49242ea8-4813-49f7-8bd4-9668216cceeb.json +++ b/ics-attack/relationship/relationship--49242ea8-4813-49f7-8bd4-9668216cceeb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--28c216c6-6fa6-4fe4-bce4-e074b6bb9e78", + "id": "bundle--522fb634-ff8a-4902-96af-0e4dc2e35039", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--49242ea8-4813-49f7-8bd4-9668216cceeb", "created": "2023-09-29T16:45:53.300Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:16.023Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--4966e63c-ca05-466d-91f9-41d799a54471.json b/ics-attack/relationship/relationship--4966e63c-ca05-466d-91f9-41d799a54471.json index 4cfab65df2..c30e4fedc1 100644 --- a/ics-attack/relationship/relationship--4966e63c-ca05-466d-91f9-41d799a54471.json +++ b/ics-attack/relationship/relationship--4966e63c-ca05-466d-91f9-41d799a54471.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--546d1995-016b-4778-a27f-07cc75b46c6c", + "id": "bundle--1e16a0a3-074e-4a56-9fd2-c2f6e4cfce86", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--497e0dbf-b36e-4c2e-9368-67553c8ba5b1.json b/ics-attack/relationship/relationship--497e0dbf-b36e-4c2e-9368-67553c8ba5b1.json index ba5937e206..a960d2bf86 100644 --- a/ics-attack/relationship/relationship--497e0dbf-b36e-4c2e-9368-67553c8ba5b1.json +++ b/ics-attack/relationship/relationship--497e0dbf-b36e-4c2e-9368-67553c8ba5b1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--12970d47-3654-4848-88c5-f9627f218319", + "id": "bundle--71456a0e-7fe6-429a-8b00-a4ea8c271a5c", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--497e0dbf-b36e-4c2e-9368-67553c8ba5b1", "created": "2025-09-24T18:25:02.119Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--4981a944-b3ad-4d78-9881-a17d458e3422.json b/ics-attack/relationship/relationship--4981a944-b3ad-4d78-9881-a17d458e3422.json index 6be24584b6..c2097fd97f 100644 --- a/ics-attack/relationship/relationship--4981a944-b3ad-4d78-9881-a17d458e3422.json +++ b/ics-attack/relationship/relationship--4981a944-b3ad-4d78-9881-a17d458e3422.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--007fe7e5-f2a2-43e0-9e29-af685d27bbe2", + "id": "bundle--9dfaf2ef-8765-4d95-8c5b-b13421b1e05c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--4981a944-b3ad-4d78-9881-a17d458e3422", "created": "2023-09-28T20:01:30.138Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:16.504Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--49966e16-04a2-4fd7-86cd-aa934040a9d8.json b/ics-attack/relationship/relationship--49966e16-04a2-4fd7-86cd-aa934040a9d8.json index 8430931654..8630078950 100644 --- a/ics-attack/relationship/relationship--49966e16-04a2-4fd7-86cd-aa934040a9d8.json +++ b/ics-attack/relationship/relationship--49966e16-04a2-4fd7-86cd-aa934040a9d8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0f9290f0-1a4a-4632-9401-a29ea431264d", + "id": "bundle--8e02445e-7290-47aa-bd26-d22aecfa055d", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--49966e16-04a2-4fd7-86cd-aa934040a9d8", "created": "2023-03-31T17:44:19.711Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos Crashoverride 2018", diff --git a/ics-attack/relationship/relationship--49aebf0c-e231-4cbb-84a2-97c9a6d11654.json b/ics-attack/relationship/relationship--49aebf0c-e231-4cbb-84a2-97c9a6d11654.json new file mode 100644 index 0000000000..597b524e47 --- /dev/null +++ b/ics-attack/relationship/relationship--49aebf0c-e231-4cbb-84a2-97c9a6d11654.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--bc562588-713f-4154-b043-83078d206350", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--49aebf0c-e231-4cbb-84a2-97c9a6d11654", + "created": "2026-04-22T17:59:31.637Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T16:32:27.293Z", + "description": "Ensure proper network segmentation is followed to protect critical systems and devices.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--49d38b21-5ce5-48d9-a356-639fc6c7a53d.json b/ics-attack/relationship/relationship--49d38b21-5ce5-48d9-a356-639fc6c7a53d.json index 3a1080d9d2..87ba3a49eb 100644 --- a/ics-attack/relationship/relationship--49d38b21-5ce5-48d9-a356-639fc6c7a53d.json +++ b/ics-attack/relationship/relationship--49d38b21-5ce5-48d9-a356-639fc6c7a53d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9e53f4aa-2a88-4b48-ae1e-34dff933dd54", + "id": "bundle--97b6ce05-10a7-4c60-92d9-df8e36a5e0c0", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--49d38b21-5ce5-48d9-a356-639fc6c7a53d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--4a641966-3cc8-4dd6-aa61-1a96cfff4a05.json b/ics-attack/relationship/relationship--4a641966-3cc8-4dd6-aa61-1a96cfff4a05.json index c123c4aec4..f330eb2301 100644 --- a/ics-attack/relationship/relationship--4a641966-3cc8-4dd6-aa61-1a96cfff4a05.json +++ b/ics-attack/relationship/relationship--4a641966-3cc8-4dd6-aa61-1a96cfff4a05.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--18240823-1808-47ec-85c1-f1df71158a9a", + "id": "bundle--45a8574a-a74d-414c-a7e0-739ef27a3bd1", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--4a641966-3cc8-4dd6-aa61-1a96cfff4a05", "created": "2023-09-28T19:41:47.648Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:17.384Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--4a7340fc-0eec-4459-a491-952d736b79ef.json b/ics-attack/relationship/relationship--4a7340fc-0eec-4459-a491-952d736b79ef.json index 4ce7a2ab36..6ae9981016 100644 --- a/ics-attack/relationship/relationship--4a7340fc-0eec-4459-a491-952d736b79ef.json +++ b/ics-attack/relationship/relationship--4a7340fc-0eec-4459-a491-952d736b79ef.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f1285ea3-3e1e-4a9d-b039-a20fe106ad77", + "id": "bundle--da6aa5f3-e740-4115-9c10-f9559b1cd58e", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--4a7340fc-0eec-4459-a491-952d736b79ef", "created": "2023-09-28T19:50:42.505Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:17.593Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--4b353f8e-15ff-4fab-9f09-270ffb744a0f.json b/ics-attack/relationship/relationship--4b353f8e-15ff-4fab-9f09-270ffb744a0f.json new file mode 100644 index 0000000000..4066877865 --- /dev/null +++ b/ics-attack/relationship/relationship--4b353f8e-15ff-4fab-9f09-270ffb744a0f.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--87798d1d-0bbf-46a5-b70f-0451520ffc17", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4b353f8e-15ff-4fab-9f09-270ffb744a0f", + "created": "2026-04-22T16:09:40.257Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:09:40.257Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639.json b/ics-attack/relationship/relationship--4b44a657-11cc-45bc-b096-f32e58a70036.json similarity index 73% rename from ics-attack/relationship/relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639.json rename to ics-attack/relationship/relationship--4b44a657-11cc-45bc-b096-f32e58a70036.json index 677eeb8fa5..ad8bdde044 100644 --- a/ics-attack/relationship/relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639.json +++ b/ics-attack/relationship/relationship--4b44a657-11cc-45bc-b096-f32e58a70036.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--8fc8f505-a961-43fc-adfd-ef6395307a80", + "id": "bundle--1e8d1a0b-dca6-4e70-b5d9-5563e566e70c", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639", + "id": "relationship--4b44a657-11cc-45bc-b096-f32e58a70036", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "Restrict unauthorized devices from accessing serial comm ports.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--4b6a964f-af5c-4ec2-a309-c1ae6b929596.json b/ics-attack/relationship/relationship--4b6a964f-af5c-4ec2-a309-c1ae6b929596.json index 6ca91b1989..fdabf3fa53 100644 --- a/ics-attack/relationship/relationship--4b6a964f-af5c-4ec2-a309-c1ae6b929596.json +++ b/ics-attack/relationship/relationship--4b6a964f-af5c-4ec2-a309-c1ae6b929596.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2dd8cd30-74b4-4596-9030-0cdd932cbcf6", + "id": "bundle--3351e9c8-fc53-438b-8e5d-2d5adfd0d4bf", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--4b6a964f-af5c-4ec2-a309-c1ae6b929596", "created": "2023-09-28T21:24:51.818Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:18.221Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--4b853b7c-bc55-4599-b88d-d08d651526c0.json b/ics-attack/relationship/relationship--4b853b7c-bc55-4599-b88d-d08d651526c0.json index 5612740cb2..1dd1f5b3ca 100644 --- a/ics-attack/relationship/relationship--4b853b7c-bc55-4599-b88d-d08d651526c0.json +++ b/ics-attack/relationship/relationship--4b853b7c-bc55-4599-b88d-d08d651526c0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--20a5c8b4-020c-4a5b-9041-5f3f00bb5a14", + "id": "bundle--6ece90b8-ea92-4e13-a367-c01ab55b379e", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--4b853b7c-bc55-4599-b88d-d08d651526c0", "created": "2023-09-29T18:49:25.209Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:18.442Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--4b98b72c-a093-4917-a21b-a0b4f388e98e.json b/ics-attack/relationship/relationship--4b98b72c-a093-4917-a21b-a0b4f388e98e.json index 6c8540719c..33a9c74a33 100644 --- a/ics-attack/relationship/relationship--4b98b72c-a093-4917-a21b-a0b4f388e98e.json +++ b/ics-attack/relationship/relationship--4b98b72c-a093-4917-a21b-a0b4f388e98e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--680ce8ed-33d8-4375-8d94-d755d05c3537", + "id": "bundle--e17b3488-a351-4ea1-959f-c0f4fbf1f101", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--4b98b72c-a093-4917-a21b-a0b4f388e98e", "created": "2023-03-31T17:45:09.659Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos Crashoverride 2018", diff --git a/ics-attack/relationship/relationship--4bcbf856-1a3f-4dcf-8e00-5e925025ffc4.json b/ics-attack/relationship/relationship--4bcbf856-1a3f-4dcf-8e00-5e925025ffc4.json new file mode 100644 index 0000000000..5e80962b1b --- /dev/null +++ b/ics-attack/relationship/relationship--4bcbf856-1a3f-4dcf-8e00-5e925025ffc4.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--ab829cd1-a9ee-4ec0-b058-4fa8444610a9", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4bcbf856-1a3f-4dcf-8e00-5e925025ffc4", + "created": "2026-04-22T20:24:18.093Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:24:18.093Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--4c1df272-9c2a-4647-8d05-3c0de1613e12.json b/ics-attack/relationship/relationship--4c1df272-9c2a-4647-8d05-3c0de1613e12.json index e7f01e4e95..8651dd90b5 100644 --- a/ics-attack/relationship/relationship--4c1df272-9c2a-4647-8d05-3c0de1613e12.json +++ b/ics-attack/relationship/relationship--4c1df272-9c2a-4647-8d05-3c0de1613e12.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--765fbbb0-67ba-4908-96ad-5a3b863100bf", + "id": "bundle--6b376256-f468-4472-9416-e8044ba75997", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--4c1df272-9c2a-4647-8d05-3c0de1613e12", "created": "2023-09-28T19:59:23.856Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:18.868Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--4c53b294-973f-4cc2-a781-6c86b8f1c962.json b/ics-attack/relationship/relationship--4c53b294-973f-4cc2-a781-6c86b8f1c962.json index 0adbf2de82..cd2dbb1550 100644 --- a/ics-attack/relationship/relationship--4c53b294-973f-4cc2-a781-6c86b8f1c962.json +++ b/ics-attack/relationship/relationship--4c53b294-973f-4cc2-a781-6c86b8f1c962.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f6d1af6a-a0ce-4e0a-a010-06c3616bfccf", + "id": "bundle--b1312367-c7c7-4f50-8363-f8354b6f500f", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--4c53b294-973f-4cc2-a781-6c86b8f1c962", "created": "2023-09-28T21:23:14.975Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:19.069Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--4c5f0aeb-d4ae-4f37-9fec-ba4d844a0c21.json b/ics-attack/relationship/relationship--4c5f0aeb-d4ae-4f37-9fec-ba4d844a0c21.json new file mode 100644 index 0000000000..ca5cc107b5 --- /dev/null +++ b/ics-attack/relationship/relationship--4c5f0aeb-d4ae-4f37-9fec-ba4d844a0c21.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--3a428c92-f20d-4521-9ceb-640ed6d5a264", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4c5f0aeb-d4ae-4f37-9fec-ba4d844a0c21", + "created": "2026-04-22T21:48:25.479Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:48:25.479Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--c779ee07-ee85-42fe-a2c1-14ce25766cdf", + "target_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--351e19c4-c16e-493a-9800-a433107aacf1.json b/ics-attack/relationship/relationship--4c6b7176-650b-448d-9d5b-28eb36bcafae.json similarity index 78% rename from ics-attack/relationship/relationship--351e19c4-c16e-493a-9800-a433107aacf1.json rename to ics-attack/relationship/relationship--4c6b7176-650b-448d-9d5b-28eb36bcafae.json index 76f23b7a22..7d45c719fb 100644 --- a/ics-attack/relationship/relationship--351e19c4-c16e-493a-9800-a433107aacf1.json +++ b/ics-attack/relationship/relationship--4c6b7176-650b-448d-9d5b-28eb36bcafae.json @@ -1,12 +1,12 @@ { "type": "bundle", - "id": "bundle--83b4fedf-2c18-4ded-9f1e-3cca13f9f0df", + "id": "bundle--3afb5644-776f-45b6-a50c-80735edc5cb5", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--351e19c4-c16e-493a-9800-a433107aacf1", - "created": "2018-04-18T17:59:24.739Z", + "id": "relationship--4c6b7176-650b-448d-9d5b-28eb36bcafae", + "created": "2026-04-22T20:06:22.552Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ @@ -19,14 +19,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:01:52.519Z", + "modified": "2026-04-22T20:06:22.552Z", "description": "[Triton](https://attack.mitre.org/software/S1009) uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502. (Citation: DHS CISA February 2019)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "target_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--4cb8291c-f9eb-4c84-bb15-695685fd7064.json b/ics-attack/relationship/relationship--4cb8291c-f9eb-4c84-bb15-695685fd7064.json new file mode 100644 index 0000000000..4b52dbecb6 --- /dev/null +++ b/ics-attack/relationship/relationship--4cb8291c-f9eb-4c84-bb15-695685fd7064.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--e8a204fe-7da8-49de-ae5a-d29843b71aa4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4cb8291c-f9eb-4c84-bb15-695685fd7064", + "created": "2026-04-22T21:36:57.379Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:36:57.379Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--4cc2bf97-b439-40a9-8e18-cc9daca1bab6.json b/ics-attack/relationship/relationship--4cc2bf97-b439-40a9-8e18-cc9daca1bab6.json new file mode 100644 index 0000000000..66fb455b65 --- /dev/null +++ b/ics-attack/relationship/relationship--4cc2bf97-b439-40a9-8e18-cc9daca1bab6.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--a8874e46-e187-4530-b8ac-3be7e45bc1ac", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4cc2bf97-b439-40a9-8e18-cc9daca1bab6", + "created": "2026-04-22T19:00:02.393Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T19:00:02.393Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--69f4ed24-c2f7-49e1-99a2-350cc2795820.json b/ics-attack/relationship/relationship--4cec834f-831f-46e6-9cd2-a6fdfa45d06b.json similarity index 71% rename from ics-attack/relationship/relationship--69f4ed24-c2f7-49e1-99a2-350cc2795820.json rename to ics-attack/relationship/relationship--4cec834f-831f-46e6-9cd2-a6fdfa45d06b.json index 53e31cbce8..8dcafe491c 100644 --- a/ics-attack/relationship/relationship--69f4ed24-c2f7-49e1-99a2-350cc2795820.json +++ b/ics-attack/relationship/relationship--4cec834f-831f-46e6-9cd2-a6fdfa45d06b.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--bf0f9444-0ae2-4a7a-a022-ddc337213a77", + "id": "bundle--2c88dc44-33d5-4c0c-8c85-f59aa2e0c292", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--69f4ed24-c2f7-49e1-99a2-350cc2795820", + "id": "relationship--4cec834f-831f-46e6-9cd2-a6fdfa45d06b", "created": "2023-09-29T17:44:19.135Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:54.629Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "source_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--4d163eab-7118-49c3-a4e9-d4f26d09b314.json b/ics-attack/relationship/relationship--4d163eab-7118-49c3-a4e9-d4f26d09b314.json index d91c67f2b9..e49ac38a2d 100644 --- a/ics-attack/relationship/relationship--4d163eab-7118-49c3-a4e9-d4f26d09b314.json +++ b/ics-attack/relationship/relationship--4d163eab-7118-49c3-a4e9-d4f26d09b314.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3e202b30-d978-4b55-9d10-55bac7b6f7cc", + "id": "bundle--9bda15d9-5b96-4f7d-9ada-09a1211b4f1a", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--4d163eab-7118-49c3-a4e9-d4f26d09b314", "created": "2025-09-24T18:13:02.344Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--4d407dda-944a-4974-b1c2-0a04d2c9ee4c.json b/ics-attack/relationship/relationship--4d407dda-944a-4974-b1c2-0a04d2c9ee4c.json index 7ae13cbe04..0c1532f079 100644 --- a/ics-attack/relationship/relationship--4d407dda-944a-4974-b1c2-0a04d2c9ee4c.json +++ b/ics-attack/relationship/relationship--4d407dda-944a-4974-b1c2-0a04d2c9ee4c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--60c81f6a-0332-41aa-bf3a-57777c850381", + "id": "bundle--b8360c3e-661b-47a8-b3aa-9ef1fb3f87a0", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--4d407dda-944a-4974-b1c2-0a04d2c9ee4c", "created": "2023-09-27T13:17:12.592Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Andy Greenberg June 2017", diff --git a/ics-attack/relationship/relationship--4d76274d-75bc-4cd0-be6a-3d5d99f73cb7.json b/ics-attack/relationship/relationship--4d76274d-75bc-4cd0-be6a-3d5d99f73cb7.json index 65b53fa30e..88fd3adb42 100644 --- a/ics-attack/relationship/relationship--4d76274d-75bc-4cd0-be6a-3d5d99f73cb7.json +++ b/ics-attack/relationship/relationship--4d76274d-75bc-4cd0-be6a-3d5d99f73cb7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--72f2ac97-5f03-4256-b470-446fd18d0035", + "id": "bundle--aa91bb54-917e-49ae-b6a7-088449a31b8a", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--4d76274d-75bc-4cd0-be6a-3d5d99f73cb7", "created": "2023-09-28T20:27:04.841Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:19.583Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--4d7eecfc-4dd6-470c-a604-4c8239ac2be4.json b/ics-attack/relationship/relationship--4d7eecfc-4dd6-470c-a604-4c8239ac2be4.json index 21af201a33..d7ded603d1 100644 --- a/ics-attack/relationship/relationship--4d7eecfc-4dd6-470c-a604-4c8239ac2be4.json +++ b/ics-attack/relationship/relationship--4d7eecfc-4dd6-470c-a604-4c8239ac2be4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--185596b7-8f1c-4f61-92ff-b8a714287eff", + "id": "bundle--be4e38bd-3dd6-4067-9ff3-0e115ac5bd91", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--4d7eecfc-4dd6-470c-a604-4c8239ac2be4", "created": "2023-09-28T21:28:11.821Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:19.805Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--4dd93fd2-6e6d-4c50-a091-6d6ea6903f1e.json b/ics-attack/relationship/relationship--4dd93fd2-6e6d-4c50-a091-6d6ea6903f1e.json index 8b3bce07ca..c4d3e0428b 100644 --- a/ics-attack/relationship/relationship--4dd93fd2-6e6d-4c50-a091-6d6ea6903f1e.json +++ b/ics-attack/relationship/relationship--4dd93fd2-6e6d-4c50-a091-6d6ea6903f1e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--994d1111-d964-4494-9f87-2fed257a8581", + "id": "bundle--b7b0375f-9075-49ce-8b14-1f04e3a1411e", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--4dd93fd2-6e6d-4c50-a091-6d6ea6903f1e", "created": "2022-09-28T21:21:58.641Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Wylie-22", diff --git a/ics-attack/relationship/relationship--4e1e6e4b-c38b-477e-8026-f12a58558484.json b/ics-attack/relationship/relationship--4e1e6e4b-c38b-477e-8026-f12a58558484.json new file mode 100644 index 0000000000..e8d0d9ed73 --- /dev/null +++ b/ics-attack/relationship/relationship--4e1e6e4b-c38b-477e-8026-f12a58558484.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--157bf540-baa3-490d-8680-f0c9e5f63b8e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4e1e6e4b-c38b-477e-8026-f12a58558484", + "created": "2026-04-20T20:58:39.169Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:58:39.169Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "target_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--4e7ec200-9a1b-46d4-9383-738903fec554.json b/ics-attack/relationship/relationship--4e7ec200-9a1b-46d4-9383-738903fec554.json new file mode 100644 index 0000000000..5cda102b7e --- /dev/null +++ b/ics-attack/relationship/relationship--4e7ec200-9a1b-46d4-9383-738903fec554.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--c64a969f-7b09-4276-a25a-48be1c5540e0", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4e7ec200-9a1b-46d4-9383-738903fec554", + "created": "2026-04-23T00:39:29.524Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:33:28.216Z", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--4ef202e5-b1cb-4cc4-892d-df6bf683c596.json b/ics-attack/relationship/relationship--4ef202e5-b1cb-4cc4-892d-df6bf683c596.json index 324b51231f..8ea0ddafaf 100644 --- a/ics-attack/relationship/relationship--4ef202e5-b1cb-4cc4-892d-df6bf683c596.json +++ b/ics-attack/relationship/relationship--4ef202e5-b1cb-4cc4-892d-df6bf683c596.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--70d0f709-9d54-4f9d-b7de-2eb021af25a2", + "id": "bundle--9c5f127b-756c-4e20-bbe4-48d5d55bf611", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--5604323b-6e7a-4801-91ae-4bf591f2e3ac", "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", diff --git a/ics-attack/relationship/relationship--4f3a843b-18e7-46e8-8285-9102a2fe62e5.json b/ics-attack/relationship/relationship--4f3a843b-18e7-46e8-8285-9102a2fe62e5.json index a180f8a78d..e45e532dd2 100644 --- a/ics-attack/relationship/relationship--4f3a843b-18e7-46e8-8285-9102a2fe62e5.json +++ b/ics-attack/relationship/relationship--4f3a843b-18e7-46e8-8285-9102a2fe62e5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--628a8da4-377b-436c-b393-97b85e7fa462", + "id": "bundle--b1f13fc7-a2b6-4975-b2d5-84a5acd3cc25", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--4f3a843b-18e7-46e8-8285-9102a2fe62e5", "created": "2023-09-29T18:02:38.399Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:20.229Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--4f7cc4b9-fe3a-4883-97cc-4d2a44c55be9.json b/ics-attack/relationship/relationship--4f7cc4b9-fe3a-4883-97cc-4d2a44c55be9.json index e2c8e82995..5c6fbe7870 100644 --- a/ics-attack/relationship/relationship--4f7cc4b9-fe3a-4883-97cc-4d2a44c55be9.json +++ b/ics-attack/relationship/relationship--4f7cc4b9-fe3a-4883-97cc-4d2a44c55be9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6d7d5f9b-51b4-4fe3-95e8-0139f45363d8", + "id": "bundle--0256c748-f7f6-421d-9d20-01a42455c61a", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--4f7cc4b9-fe3a-4883-97cc-4d2a44c55be9", "created": "2023-09-28T20:09:53.108Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:20.630Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--4f83cc15-274d-44c6-859f-e598e362e76e.json b/ics-attack/relationship/relationship--4f83cc15-274d-44c6-859f-e598e362e76e.json index 46cc983ad2..fb5499aa40 100644 --- a/ics-attack/relationship/relationship--4f83cc15-274d-44c6-859f-e598e362e76e.json +++ b/ics-attack/relationship/relationship--4f83cc15-274d-44c6-859f-e598e362e76e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6d83a561-f493-414c-ad7e-d2d959e09a3e", + "id": "bundle--63e9a53f-acd9-41ae-ab07-f39e2c3f74b8", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--4f83cc15-274d-44c6-859f-e598e362e76e", "created": "2023-09-27T14:55:55.381Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Ukraine15 - EISAC - 201603", diff --git a/ics-attack/relationship/relationship--4fde32fb-56b6-458b-92ac-55f81bc91783.json b/ics-attack/relationship/relationship--4fde32fb-56b6-458b-92ac-55f81bc91783.json new file mode 100644 index 0000000000..d984e14660 --- /dev/null +++ b/ics-attack/relationship/relationship--4fde32fb-56b6-458b-92ac-55f81bc91783.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--76b4cfd7-d824-49d9-a5a2-3387c8496f14", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4fde32fb-56b6-458b-92ac-55f81bc91783", + "created": "2026-04-20T20:54:26.012Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:26.012Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--4fde6641-ad83-4b23-b51c-97fe7bdc558c.json b/ics-attack/relationship/relationship--4fde6641-ad83-4b23-b51c-97fe7bdc558c.json index 229795ec8d..77544a45df 100644 --- a/ics-attack/relationship/relationship--4fde6641-ad83-4b23-b51c-97fe7bdc558c.json +++ b/ics-attack/relationship/relationship--4fde6641-ad83-4b23-b51c-97fe7bdc558c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--46046b25-f351-41eb-8304-0925bee6a71b", + "id": "bundle--cfb49ae3-2649-438b-b8b1-23e585c7b924", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--4fde6641-ad83-4b23-b51c-97fe7bdc558c", "created": "2025-09-24T18:14:52.305Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--502a0b7e-048a-468a-b888-e91fde47c6eb.json b/ics-attack/relationship/relationship--502a0b7e-048a-468a-b888-e91fde47c6eb.json index 57f6dd1703..6ea348bd42 100644 --- a/ics-attack/relationship/relationship--502a0b7e-048a-468a-b888-e91fde47c6eb.json +++ b/ics-attack/relationship/relationship--502a0b7e-048a-468a-b888-e91fde47c6eb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e72ea66b-5103-45a6-aa9b-f2c0174593f8", + "id": "bundle--df9c0709-81a2-499c-9947-9011d8d89dfd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--50324c5f-50e9-4d81-a8ba-a076827259a0.json b/ics-attack/relationship/relationship--50324c5f-50e9-4d81-a8ba-a076827259a0.json new file mode 100644 index 0000000000..5ca202bfcf --- /dev/null +++ b/ics-attack/relationship/relationship--50324c5f-50e9-4d81-a8ba-a076827259a0.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--65da315e-a7e7-4200-9dd2-e0f6a1049bea", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--50324c5f-50e9-4d81-a8ba-a076827259a0", + "created": "2026-04-22T20:25:20.492Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:25:20.492Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--503c5256-b611-437e-a4ef-2ee1fd20ab29.json b/ics-attack/relationship/relationship--503c5256-b611-437e-a4ef-2ee1fd20ab29.json index da906355db..a989f23c6c 100644 --- a/ics-attack/relationship/relationship--503c5256-b611-437e-a4ef-2ee1fd20ab29.json +++ b/ics-attack/relationship/relationship--503c5256-b611-437e-a4ef-2ee1fd20ab29.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2c3bad0a-e442-4248-ba50-3538d901897a", + "id": "bundle--187d0c5b-f55c-47b7-82e2-8a2739f2a906", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--503c5256-b611-437e-a4ef-2ee1fd20ab29", "created": "2023-09-29T18:03:06.209Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:21.314Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--5041e17d-6349-4589-8c61-7b43964b5f9b.json b/ics-attack/relationship/relationship--5041e17d-6349-4589-8c61-7b43964b5f9b.json index ae50f8c446..8895334e02 100644 --- a/ics-attack/relationship/relationship--5041e17d-6349-4589-8c61-7b43964b5f9b.json +++ b/ics-attack/relationship/relationship--5041e17d-6349-4589-8c61-7b43964b5f9b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b49c8ed9-54c5-4df6-802e-df204792ae35", + "id": "bundle--5958639f-90e5-498e-b7e3-7bb1996ce3f3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--504f74ff-ce0c-4e2d-840a-79c17ba2cbce.json b/ics-attack/relationship/relationship--504f74ff-ce0c-4e2d-840a-79c17ba2cbce.json new file mode 100644 index 0000000000..9cc6794183 --- /dev/null +++ b/ics-attack/relationship/relationship--504f74ff-ce0c-4e2d-840a-79c17ba2cbce.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--faa5661e-ee58-43d4-ab47-6826ef89b52c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--504f74ff-ce0c-4e2d-840a-79c17ba2cbce", + "created": "2026-04-22T20:40:31.895Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:40:31.895Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--24885921-734f-46c1-85d7-3f79e0b886d6.json b/ics-attack/relationship/relationship--5068c7c3-5922-447a-bf49-8301e797e992.json similarity index 85% rename from ics-attack/relationship/relationship--24885921-734f-46c1-85d7-3f79e0b886d6.json rename to ics-attack/relationship/relationship--5068c7c3-5922-447a-bf49-8301e797e992.json index a98d0cdab4..7e6ab4b7ac 100644 --- a/ics-attack/relationship/relationship--24885921-734f-46c1-85d7-3f79e0b886d6.json +++ b/ics-attack/relationship/relationship--5068c7c3-5922-447a-bf49-8301e797e992.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--2137ffef-66df-44d0-a2a6-4ef63e499923", + "id": "bundle--225b6907-6942-4986-9c7f-0e1ceb1fd1cc", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--24885921-734f-46c1-85d7-3f79e0b886d6", + "id": "relationship--5068c7c3-5922-447a-bf49-8301e797e992", "created": "2023-09-27T14:51:18.262Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -23,10 +23,10 @@ "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) overwrote the serial-to-ethernet gateways with custom firmware to make systems either disabled, shutdown, and/or unrecoverable. (Citation: Ukraine15 - EISAC - 201603)", "relationship_type": "uses", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--50a2b289-7bce-405d-8515-c2b5424cce5c.json b/ics-attack/relationship/relationship--50a2b289-7bce-405d-8515-c2b5424cce5c.json index 9f08825a17..903f26a92b 100644 --- a/ics-attack/relationship/relationship--50a2b289-7bce-405d-8515-c2b5424cce5c.json +++ b/ics-attack/relationship/relationship--50a2b289-7bce-405d-8515-c2b5424cce5c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d1d55f43-bed0-437a-b8a7-fff1f47bafae", + "id": "bundle--8ad189aa-557e-45de-ab29-e76d5351898e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--50b3247a-ea71-455e-b299-f00666c05146.json b/ics-attack/relationship/relationship--50b3247a-ea71-455e-b299-f00666c05146.json index a694eb42d4..199f2ad51c 100644 --- a/ics-attack/relationship/relationship--50b3247a-ea71-455e-b299-f00666c05146.json +++ b/ics-attack/relationship/relationship--50b3247a-ea71-455e-b299-f00666c05146.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4a9b9e07-1443-4205-ad16-4f0e7bc4b80e", + "id": "bundle--65169dd9-889e-4755-bf03-6301b90f829f", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--50b3247a-ea71-455e-b299-f00666c05146", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", diff --git a/ics-attack/relationship/relationship--50c20664-75dc-451e-b026-67b1d309e4b5.json b/ics-attack/relationship/relationship--50c20664-75dc-451e-b026-67b1d309e4b5.json index c4e84acad0..63ce547b56 100644 --- a/ics-attack/relationship/relationship--50c20664-75dc-451e-b026-67b1d309e4b5.json +++ b/ics-attack/relationship/relationship--50c20664-75dc-451e-b026-67b1d309e4b5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c0c1bb65-a209-45ef-8c9a-4795d6f8e4e9", + "id": "bundle--44a13ff4-6a9b-490f-b43c-2b3f4677f7a8", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--50c20664-75dc-451e-b026-67b1d309e4b5", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", diff --git a/ics-attack/relationship/relationship--5714c88f-ca54-46b6-b072-cd1d24714ae0.json b/ics-attack/relationship/relationship--50c2224e-7592-4400-afbb-6434e025bfd8.json similarity index 78% rename from ics-attack/relationship/relationship--5714c88f-ca54-46b6-b072-cd1d24714ae0.json rename to ics-attack/relationship/relationship--50c2224e-7592-4400-afbb-6434e025bfd8.json index 7a944ba873..a60f2f79eb 100644 --- a/ics-attack/relationship/relationship--5714c88f-ca54-46b6-b072-cd1d24714ae0.json +++ b/ics-attack/relationship/relationship--50c2224e-7592-4400-afbb-6434e025bfd8.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--bcff3025-efef-4b71-bb46-db75c0ac398f", + "id": "bundle--734b5b0e-10df-44b4-9b10-fa86a28d1aeb", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--5714c88f-ca54-46b6-b072-cd1d24714ae0", + "id": "relationship--50c2224e-7592-4400-afbb-6434e025bfd8", "created": "2022-09-29T14:28:08.703Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -16,10 +16,10 @@ "description": "Ensure embedded controls and network devices are protected through access management, as these devices often have unknown hardcoded accounts which could be used to gain unauthorized access.", "relationship_type": "mitigates", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "target_ref": "attack-pattern--6b335943-c3af-430e-a135-ab09623bdc20", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--5131c799-517c-4bad-ba97-46ad7de956e7.json b/ics-attack/relationship/relationship--5131c799-517c-4bad-ba97-46ad7de956e7.json index acbe29fe8e..71deea53d1 100644 --- a/ics-attack/relationship/relationship--5131c799-517c-4bad-ba97-46ad7de956e7.json +++ b/ics-attack/relationship/relationship--5131c799-517c-4bad-ba97-46ad7de956e7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--24dcccbe-e853-4561-a112-3d4c8ad993d5", + "id": "bundle--e49e0c73-2ff0-4a25-b837-c55d3a7736ee", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--5131c799-517c-4bad-ba97-46ad7de956e7", "created": "2023-09-28T21:17:06.233Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:22.378Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--513e6965-7ce0-47de-b2a0-8f0ba4978ce4.json b/ics-attack/relationship/relationship--513e6965-7ce0-47de-b2a0-8f0ba4978ce4.json new file mode 100644 index 0000000000..663d1f36b2 --- /dev/null +++ b/ics-attack/relationship/relationship--513e6965-7ce0-47de-b2a0-8f0ba4978ce4.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--34ed4e0a-93d8-42d2-bba0-1c11b6721c29", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--513e6965-7ce0-47de-b2a0-8f0ba4978ce4", + "created": "2026-04-22T18:54:42.908Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T18:54:42.908Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--5152ea91-af3f-4317-81ca-b3cf910b471a.json b/ics-attack/relationship/relationship--5152ea91-af3f-4317-81ca-b3cf910b471a.json new file mode 100644 index 0000000000..39220dee86 --- /dev/null +++ b/ics-attack/relationship/relationship--5152ea91-af3f-4317-81ca-b3cf910b471a.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--01f74d7e-6726-44f4-b3f4-db79fb888bd1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--5152ea91-af3f-4317-81ca-b3cf910b471a", + "created": "2026-04-22T20:27:50.811Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:33:08.419Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries enabled TCP port 445 on Mikronika HMI devices creating a new firewall rule named \u201cMicrosoft Update\u201d.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--51957f0f-79e2-4716-beec-0fec67e4482f.json b/ics-attack/relationship/relationship--51957f0f-79e2-4716-beec-0fec67e4482f.json index 6ffdf978db..284c8d8bce 100644 --- a/ics-attack/relationship/relationship--51957f0f-79e2-4716-beec-0fec67e4482f.json +++ b/ics-attack/relationship/relationship--51957f0f-79e2-4716-beec-0fec67e4482f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7c8baa65-871b-4258-9d29-29b8975c124f", + "id": "bundle--201d5d6d-7ef9-456e-a55c-b059d1df0947", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--51957f0f-79e2-4716-beec-0fec67e4482f", "created": "2025-09-24T18:11:54.747Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--51eb15a3-48af-470f-94c0-10f25b366d72.json b/ics-attack/relationship/relationship--51eb15a3-48af-470f-94c0-10f25b366d72.json index a51b4db3e7..03c72b17cf 100644 --- a/ics-attack/relationship/relationship--51eb15a3-48af-470f-94c0-10f25b366d72.json +++ b/ics-attack/relationship/relationship--51eb15a3-48af-470f-94c0-10f25b366d72.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--014b1927-ccf4-4f6f-b9fb-5087334234fe", + "id": "bundle--60e1b7af-213b-45db-b7d8-15e3b1728727", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--51eb15a3-48af-470f-94c0-10f25b366d72", "created": "2022-09-28T20:30:22.148Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos-Pipedream", diff --git a/ics-attack/relationship/relationship--51f9963c-c041-4bec-b482-5fda2fb5bca4.json b/ics-attack/relationship/relationship--51f9963c-c041-4bec-b482-5fda2fb5bca4.json index 38e7299464..873f54c703 100644 --- a/ics-attack/relationship/relationship--51f9963c-c041-4bec-b482-5fda2fb5bca4.json +++ b/ics-attack/relationship/relationship--51f9963c-c041-4bec-b482-5fda2fb5bca4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c640ee30-e675-4a4e-b360-e1d038d0b0a5", + "id": "bundle--cc24e73b-836a-44e8-a926-ad00be0f04ed", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--51f9963c-c041-4bec-b482-5fda2fb5bca4", "created": "2019-06-24T17:20:24.258Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Catalin Cimpanu April 2016", diff --git a/ics-attack/relationship/relationship--5201c576-70a5-4b32-8dfd-dd8ac86f096c.json b/ics-attack/relationship/relationship--5201c576-70a5-4b32-8dfd-dd8ac86f096c.json index 61e527a53c..0970b4d24f 100644 --- a/ics-attack/relationship/relationship--5201c576-70a5-4b32-8dfd-dd8ac86f096c.json +++ b/ics-attack/relationship/relationship--5201c576-70a5-4b32-8dfd-dd8ac86f096c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--674e6049-f5c0-4b99-9b00-7a14ba9645ff", + "id": "bundle--48cf1386-bfab-4080-8356-ef0d75cae87e", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--5201c576-70a5-4b32-8dfd-dd8ac86f096c", "created": "2023-09-29T16:40:18.760Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:23.504Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--520aad6a-2483-45bc-a172-2417137f6ca0.json b/ics-attack/relationship/relationship--520aad6a-2483-45bc-a172-2417137f6ca0.json index 6d84ae8450..45b4990d70 100644 --- a/ics-attack/relationship/relationship--520aad6a-2483-45bc-a172-2417137f6ca0.json +++ b/ics-attack/relationship/relationship--520aad6a-2483-45bc-a172-2417137f6ca0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--69570d17-f3ae-4773-89ed-be8d84fa1a27", + "id": "bundle--60d4475a-29c1-4793-8a3c-8f29340560ac", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5212f36b-216f-4e32-8b64-3b4c94dfada5.json b/ics-attack/relationship/relationship--5212f36b-216f-4e32-8b64-3b4c94dfada5.json index eb4b53c089..9f2650666f 100644 --- a/ics-attack/relationship/relationship--5212f36b-216f-4e32-8b64-3b4c94dfada5.json +++ b/ics-attack/relationship/relationship--5212f36b-216f-4e32-8b64-3b4c94dfada5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0ecfc53b-667e-4968-8202-dc2999d46214", + "id": "bundle--9a531408-d375-4be2-977f-c571bbe6fe83", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--523777f8-4780-4716-807c-08a67450b916.json b/ics-attack/relationship/relationship--523777f8-4780-4716-807c-08a67450b916.json index d16650b0a0..7725dc71b4 100644 --- a/ics-attack/relationship/relationship--523777f8-4780-4716-807c-08a67450b916.json +++ b/ics-attack/relationship/relationship--523777f8-4780-4716-807c-08a67450b916.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--969c98e1-8c2a-4cb0-a461-5b3e8915e167", + "id": "bundle--b7b29bc3-00da-4f1e-8e4a-7591b328c6b7", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--523777f8-4780-4716-807c-08a67450b916", "created": "2023-09-29T18:45:13.052Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:24.163Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--524ffb0f-40ae-4c97-a098-d14001fffa31.json b/ics-attack/relationship/relationship--524ffb0f-40ae-4c97-a098-d14001fffa31.json index 69a9200e7b..6a032b8b8d 100644 --- a/ics-attack/relationship/relationship--524ffb0f-40ae-4c97-a098-d14001fffa31.json +++ b/ics-attack/relationship/relationship--524ffb0f-40ae-4c97-a098-d14001fffa31.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--df24e646-ff21-4e26-9582-b383dfc5f76f", + "id": "bundle--42ed15c5-a195-4ce2-a14f-3541040710e2", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--524ffb0f-40ae-4c97-a098-d14001fffa31", "created": "2023-09-29T16:44:54.473Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:24.372Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--525d0a51-bbf9-4cda-aec9-562bb05bd3a0.json b/ics-attack/relationship/relationship--525d0a51-bbf9-4cda-aec9-562bb05bd3a0.json index f6b6262221..49a91348a2 100644 --- a/ics-attack/relationship/relationship--525d0a51-bbf9-4cda-aec9-562bb05bd3a0.json +++ b/ics-attack/relationship/relationship--525d0a51-bbf9-4cda-aec9-562bb05bd3a0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e377c738-e33e-4460-a7c1-aadaca685b28", + "id": "bundle--bdc4d1f6-c9fe-4025-bbf8-1b38fd885330", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--525d0a51-bbf9-4cda-aec9-562bb05bd3a0", "created": "2024-04-09T20:58:49.397Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:24.595Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--908e3fa1-e2b9-475e-b72d-06343a65a3c6.json b/ics-attack/relationship/relationship--527676d2-9dd0-40c6-8fc5-10209a82c986.json similarity index 71% rename from ics-attack/relationship/relationship--908e3fa1-e2b9-475e-b72d-06343a65a3c6.json rename to ics-attack/relationship/relationship--527676d2-9dd0-40c6-8fc5-10209a82c986.json index 75a099d4fa..eea07f57ca 100644 --- a/ics-attack/relationship/relationship--908e3fa1-e2b9-475e-b72d-06343a65a3c6.json +++ b/ics-attack/relationship/relationship--527676d2-9dd0-40c6-8fc5-10209a82c986.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--8c13aa32-32ae-4625-a7f6-7565651db34d", + "id": "bundle--a5294c19-0bf4-47bd-ac84-66380fd23fd6", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--908e3fa1-e2b9-475e-b72d-06343a65a3c6", + "id": "relationship--527676d2-9dd0-40c6-8fc5-10209a82c986", "created": "2023-09-28T20:04:44.041Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:39.033Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "source_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--52855d5d-e835-470f-a675-751c2779c861.json b/ics-attack/relationship/relationship--52855d5d-e835-470f-a675-751c2779c861.json index 8f03fb8fb3..0770f329c6 100644 --- a/ics-attack/relationship/relationship--52855d5d-e835-470f-a675-751c2779c861.json +++ b/ics-attack/relationship/relationship--52855d5d-e835-470f-a675-751c2779c861.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2f7cf6be-05e6-47db-897b-5bafb6dbe189", + "id": "bundle--6debb168-e187-4502-bf72-77a4b972c542", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--529610e5-831f-48df-a22f-fa088b9f9e9e.json b/ics-attack/relationship/relationship--529610e5-831f-48df-a22f-fa088b9f9e9e.json index a071a84e81..a506ab5b59 100644 --- a/ics-attack/relationship/relationship--529610e5-831f-48df-a22f-fa088b9f9e9e.json +++ b/ics-attack/relationship/relationship--529610e5-831f-48df-a22f-fa088b9f9e9e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7c213cef-0aa0-46d9-a9b3-46a195d8f27f", + "id": "bundle--c9e6e4d2-a763-49f1-b85c-c37aba20544d", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--529610e5-831f-48df-a22f-fa088b9f9e9e", "created": "2025-09-29T19:10:58.772Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--52a592dd-61c0-4884-a680-0d6f9112077e.json b/ics-attack/relationship/relationship--52a592dd-61c0-4884-a680-0d6f9112077e.json new file mode 100644 index 0000000000..0572c335cb --- /dev/null +++ b/ics-attack/relationship/relationship--52a592dd-61c0-4884-a680-0d6f9112077e.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--e27cc893-a0b1-4606-98af-321cd6f99060", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--52a592dd-61c0-4884-a680-0d6f9112077e", + "created": "2026-04-22T21:35:28.147Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:35:28.147Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--52bfd00c-2e5b-4e43-bba6-f3b46e241d7b.json b/ics-attack/relationship/relationship--52bfd00c-2e5b-4e43-bba6-f3b46e241d7b.json index 8792eba81d..4250e31840 100644 --- a/ics-attack/relationship/relationship--52bfd00c-2e5b-4e43-bba6-f3b46e241d7b.json +++ b/ics-attack/relationship/relationship--52bfd00c-2e5b-4e43-bba6-f3b46e241d7b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2bde171a-efe9-4d0f-ad6c-8f0255ce6f57", + "id": "bundle--39210db6-8115-4cde-b2b9-bab8732e5160", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--52bfd00c-2e5b-4e43-bba6-f3b46e241d7b", "created": "2023-09-28T21:23:26.598Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:25.027Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--52c7176b-431d-44a6-8c03-7c15a8cf6ce1.json b/ics-attack/relationship/relationship--52c7176b-431d-44a6-8c03-7c15a8cf6ce1.json index f788e92038..2b6a5c5ed8 100644 --- a/ics-attack/relationship/relationship--52c7176b-431d-44a6-8c03-7c15a8cf6ce1.json +++ b/ics-attack/relationship/relationship--52c7176b-431d-44a6-8c03-7c15a8cf6ce1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d65f6bfb-d7a5-4b0b-9305-2f1b48a16826", + "id": "bundle--e3be56ac-66a9-43a8-9064-adc06d56e8b8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--52e828db-58d0-443e-8d94-54d265d9606e.json b/ics-attack/relationship/relationship--52e828db-58d0-443e-8d94-54d265d9606e.json index 8633572921..21e9644a46 100644 --- a/ics-attack/relationship/relationship--52e828db-58d0-443e-8d94-54d265d9606e.json +++ b/ics-attack/relationship/relationship--52e828db-58d0-443e-8d94-54d265d9606e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d29e2c13-2fcb-416d-a4b9-0158a0d289ab", + "id": "bundle--262e4711-8b6f-4236-bf2b-55f2d21a3601", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--52e828db-58d0-443e-8d94-54d265d9606e", "created": "2023-09-29T17:42:01.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:25.441Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--f19c34b2-ef3a-4581-b604-6639f501e32f.json b/ics-attack/relationship/relationship--5338abbc-11f7-44e4-b97e-5439c1c1b45b.json similarity index 71% rename from ics-attack/relationship/relationship--f19c34b2-ef3a-4581-b604-6639f501e32f.json rename to ics-attack/relationship/relationship--5338abbc-11f7-44e4-b97e-5439c1c1b45b.json index 8bae30c8f2..9599bed2d3 100644 --- a/ics-attack/relationship/relationship--f19c34b2-ef3a-4581-b604-6639f501e32f.json +++ b/ics-attack/relationship/relationship--5338abbc-11f7-44e4-b97e-5439c1c1b45b.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--5b137e94-6f23-431c-ad45-8d8ad13bfc5f", + "id": "bundle--0a499939-983b-4827-9ba0-b55e322f36b0", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--f19c34b2-ef3a-4581-b604-6639f501e32f", + "id": "relationship--5338abbc-11f7-44e4-b97e-5439c1c1b45b", "created": "2023-10-02T20:20:32.163Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:26.944Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--533bd747-2567-4c53-a10b-938734f8aeab.json b/ics-attack/relationship/relationship--533bd747-2567-4c53-a10b-938734f8aeab.json index 8ff6ceff98..9deedd9034 100644 --- a/ics-attack/relationship/relationship--533bd747-2567-4c53-a10b-938734f8aeab.json +++ b/ics-attack/relationship/relationship--533bd747-2567-4c53-a10b-938734f8aeab.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c67d6c04-5840-4e45-9bab-d78a8e81201c", + "id": "bundle--12da55a7-71bb-4fc3-8fdc-537d6f73e34d", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--533bd747-2567-4c53-a10b-938734f8aeab", "created": "2024-03-25T17:59:02.526Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "FireEye TRITON Dec 2017", diff --git a/ics-attack/relationship/relationship--5343d50a-a36a-4470-9390-98ecd19b800b.json b/ics-attack/relationship/relationship--5343d50a-a36a-4470-9390-98ecd19b800b.json index 6285157f56..be2c887ca9 100644 --- a/ics-attack/relationship/relationship--5343d50a-a36a-4470-9390-98ecd19b800b.json +++ b/ics-attack/relationship/relationship--5343d50a-a36a-4470-9390-98ecd19b800b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fb83209b-e066-42b0-bc72-004ce4b14df3", + "id": "bundle--447e84a1-ceb2-4568-a7ff-58bc7e585b1a", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--f9b7143b-ce86-4cfb-a03a-f39c01904fb1", "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", diff --git a/ics-attack/relationship/relationship--535c5160-17e0-44eb-9f4b-1a8e216b56a2.json b/ics-attack/relationship/relationship--535c5160-17e0-44eb-9f4b-1a8e216b56a2.json index cd86c6e89d..d8c9445cff 100644 --- a/ics-attack/relationship/relationship--535c5160-17e0-44eb-9f4b-1a8e216b56a2.json +++ b/ics-attack/relationship/relationship--535c5160-17e0-44eb-9f4b-1a8e216b56a2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--943a1fb4-32f3-4802-be37-67205edd6a46", + "id": "bundle--bd4f2581-4db1-4c3b-8978-8efd3d58d7c8", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--535c5160-17e0-44eb-9f4b-1a8e216b56a2", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", diff --git a/ics-attack/relationship/relationship--53754728-a86b-4db2-b4de-197bd491167f.json b/ics-attack/relationship/relationship--53754728-a86b-4db2-b4de-197bd491167f.json new file mode 100644 index 0000000000..d29a239fce --- /dev/null +++ b/ics-attack/relationship/relationship--53754728-a86b-4db2-b4de-197bd491167f.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--ad0851f9-2f20-4930-9d10-a10efd8bf0da", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--53754728-a86b-4db2-b4de-197bd491167f", + "created": "2026-04-22T16:30:09.937Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:30:09.937Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--ff6456fc-576d-4da5-b561-b58f70961b15", + "target_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--538e5653-137a-4ce2-8b08-5ba69caa794a.json b/ics-attack/relationship/relationship--538e5653-137a-4ce2-8b08-5ba69caa794a.json index 82334f849e..29950693da 100644 --- a/ics-attack/relationship/relationship--538e5653-137a-4ce2-8b08-5ba69caa794a.json +++ b/ics-attack/relationship/relationship--538e5653-137a-4ce2-8b08-5ba69caa794a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--835fabe8-9dfa-4c4f-a870-c84080941721", + "id": "bundle--abc4987e-c061-419c-bcfc-bb7c840d9012", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--538e5653-137a-4ce2-8b08-5ba69caa794a", "created": "2024-03-25T17:58:07.886Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "FireEye TRITON Dec 2017", diff --git a/ics-attack/relationship/relationship--53a54e4a-2b38-4b0c-8f60-252a68767443.json b/ics-attack/relationship/relationship--53a54e4a-2b38-4b0c-8f60-252a68767443.json index d9d7090e58..04cda46665 100644 --- a/ics-attack/relationship/relationship--53a54e4a-2b38-4b0c-8f60-252a68767443.json +++ b/ics-attack/relationship/relationship--53a54e4a-2b38-4b0c-8f60-252a68767443.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--819b5b84-441d-4640-b128-d873540fc968", + "id": "bundle--f9da3fe4-8c81-44a9-93b3-ae067c55f8e9", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--53a54e4a-2b38-4b0c-8f60-252a68767443", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", diff --git a/ics-attack/relationship/relationship--53af6987-21bb-46fd-bf85-e3eeaa74de1a.json b/ics-attack/relationship/relationship--53af6987-21bb-46fd-bf85-e3eeaa74de1a.json index 6f87e28738..77ab556fde 100644 --- a/ics-attack/relationship/relationship--53af6987-21bb-46fd-bf85-e3eeaa74de1a.json +++ b/ics-attack/relationship/relationship--53af6987-21bb-46fd-bf85-e3eeaa74de1a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--53bf6e66-0b5c-4b2e-8bae-92e377fb5b58", + "id": "bundle--9f711594-91b5-4565-b8be-012eba65e1f3", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--53af6987-21bb-46fd-bf85-e3eeaa74de1a", "created": "2023-03-30T14:08:23.251Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "CISA June 2013", diff --git a/ics-attack/relationship/relationship--53d7a78d-1431-49e8-944c-62c875e58a20.json b/ics-attack/relationship/relationship--53d7a78d-1431-49e8-944c-62c875e58a20.json index 3dd27864d1..bfdbe7b839 100644 --- a/ics-attack/relationship/relationship--53d7a78d-1431-49e8-944c-62c875e58a20.json +++ b/ics-attack/relationship/relationship--53d7a78d-1431-49e8-944c-62c875e58a20.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dd814624-fbf0-4536-a3d9-26d17a7fd3ad", + "id": "bundle--bcb3b40d-3861-4af6-a974-93f66ad40b0f", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--53d7a78d-1431-49e8-944c-62c875e58a20", "created": "2023-09-29T17:08:37.793Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:26.835Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", diff --git a/ics-attack/relationship/relationship--5424e327-396f-4b07-94a3-408ffc915686.json b/ics-attack/relationship/relationship--5424e327-396f-4b07-94a3-408ffc915686.json index e8df9ec99c..4f6bafd51c 100644 --- a/ics-attack/relationship/relationship--5424e327-396f-4b07-94a3-408ffc915686.json +++ b/ics-attack/relationship/relationship--5424e327-396f-4b07-94a3-408ffc915686.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--106a5cd3-58b6-414f-a5b6-ce456f158a86", + "id": "bundle--a3e48787-1dea-490b-97c5-9b1957478655", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--5424e327-396f-4b07-94a3-408ffc915686", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos", diff --git a/ics-attack/relationship/relationship--5425d1cd-8840-4640-90a3-72f3bd7151bd.json b/ics-attack/relationship/relationship--5425d1cd-8840-4640-90a3-72f3bd7151bd.json index ab6ce24123..f88d6e33ae 100644 --- a/ics-attack/relationship/relationship--5425d1cd-8840-4640-90a3-72f3bd7151bd.json +++ b/ics-attack/relationship/relationship--5425d1cd-8840-4640-90a3-72f3bd7151bd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ea7e427e-23bb-45b2-9db2-a03755b6f207", + "id": "bundle--132b9e7b-0696-4216-b47b-c06084801288", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--5425d1cd-8840-4640-90a3-72f3bd7151bd", "created": "2023-09-29T17:44:32.341Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:27.265Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--544e996c-0bdc-42b2-91af-14c27d4213b9.json b/ics-attack/relationship/relationship--544e996c-0bdc-42b2-91af-14c27d4213b9.json index 2144b5648b..cf84edb57a 100644 --- a/ics-attack/relationship/relationship--544e996c-0bdc-42b2-91af-14c27d4213b9.json +++ b/ics-attack/relationship/relationship--544e996c-0bdc-42b2-91af-14c27d4213b9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d3556a02-ade5-4cca-9e92-84b23a2edcc2", + "id": "bundle--7ffcbe32-3039-4ee3-9c4b-b569daf6806f", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--544e996c-0bdc-42b2-91af-14c27d4213b9", "created": "2023-09-28T21:09:23.185Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:27.495Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--544f0447-0f37-4b1c-b424-3fbcdee15e63.json b/ics-attack/relationship/relationship--544f0447-0f37-4b1c-b424-3fbcdee15e63.json new file mode 100644 index 0000000000..56bcf63c57 --- /dev/null +++ b/ics-attack/relationship/relationship--544f0447-0f37-4b1c-b424-3fbcdee15e63.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--81da38e1-d0bc-4230-8717-51a59c2fb920", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--544f0447-0f37-4b1c-b424-3fbcdee15e63", + "created": "2026-04-23T00:40:43.328Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T20:10:25.500Z", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems.(Citation: Department of Homeland Security September 2016)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--54a7bc3f-c05f-4fb3-a980-ffc8750a0a56.json b/ics-attack/relationship/relationship--54a7bc3f-c05f-4fb3-a980-ffc8750a0a56.json index cdd75be9d2..8c48877eca 100644 --- a/ics-attack/relationship/relationship--54a7bc3f-c05f-4fb3-a980-ffc8750a0a56.json +++ b/ics-attack/relationship/relationship--54a7bc3f-c05f-4fb3-a980-ffc8750a0a56.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--880e6690-dc27-4459-b3ad-ea7a82173d6b", + "id": "bundle--2e67ce90-3106-41fd-a385-e19afbaf26aa", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--54a7bc3f-c05f-4fb3-a980-ffc8750a0a56", "created": "2023-09-28T20:10:44.014Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:27.715Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--54a977df-ca85-43b2-b2bc-96fdcd23aa9b.json b/ics-attack/relationship/relationship--54a977df-ca85-43b2-b2bc-96fdcd23aa9b.json index d2b2ad0e63..70c54e07ae 100644 --- a/ics-attack/relationship/relationship--54a977df-ca85-43b2-b2bc-96fdcd23aa9b.json +++ b/ics-attack/relationship/relationship--54a977df-ca85-43b2-b2bc-96fdcd23aa9b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8a73feea-0bdd-4dfc-a9bb-43b0e65f34dd", + "id": "bundle--00ca44b4-b19d-4d27-8fe8-a5b6571972fe", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--54a977df-ca85-43b2-b2bc-96fdcd23aa9b", "created": "2023-03-30T19:24:38.022Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Industroyer2 Mandiant April 2022", diff --git a/ics-attack/relationship/relationship--a66c4662-0998-418e-9605-eae7d8dbb69d.json b/ics-attack/relationship/relationship--5542d884-ac75-4e1f-9d60-29add89c8567.json similarity index 78% rename from ics-attack/relationship/relationship--a66c4662-0998-418e-9605-eae7d8dbb69d.json rename to ics-attack/relationship/relationship--5542d884-ac75-4e1f-9d60-29add89c8567.json index 4db0d8fdd6..8c85d7a9d1 100644 --- a/ics-attack/relationship/relationship--a66c4662-0998-418e-9605-eae7d8dbb69d.json +++ b/ics-attack/relationship/relationship--5542d884-ac75-4e1f-9d60-29add89c8567.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--b9bafc8b-d231-497f-901e-36cfb7e9f3a4", + "id": "bundle--e540db80-b153-4a13-9e57-497cc7cad164", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--a66c4662-0998-418e-9605-eae7d8dbb69d", + "id": "relationship--5542d884-ac75-4e1f-9d60-29add89c8567", "created": "2025-09-29T19:02:48.640Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -14,7 +14,7 @@ ], "modified": "2025-09-29T19:02:48.640Z", "relationship_type": "targets", - "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "source_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, diff --git a/ics-attack/relationship/relationship--55adf560-78f2-4804-a135-ec49bb70c6a4.json b/ics-attack/relationship/relationship--55adf560-78f2-4804-a135-ec49bb70c6a4.json new file mode 100644 index 0000000000..c7618cece0 --- /dev/null +++ b/ics-attack/relationship/relationship--55adf560-78f2-4804-a135-ec49bb70c6a4.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--db84ce3c-7997-4b00-bcf2-f79d333e0105", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--55adf560-78f2-4804-a135-ec49bb70c6a4", + "created": "2026-04-22T16:38:28.001Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:38:28.001Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--56636da0-ea2b-4c51-87d2-f7fcff26ea1a.json b/ics-attack/relationship/relationship--56636da0-ea2b-4c51-87d2-f7fcff26ea1a.json new file mode 100644 index 0000000000..d79fd348c0 --- /dev/null +++ b/ics-attack/relationship/relationship--56636da0-ea2b-4c51-87d2-f7fcff26ea1a.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--00af2f35-3a38-4309-8c3e-94e1692453e1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--56636da0-ea2b-4c51-87d2-f7fcff26ea1a", + "created": "2026-04-22T18:57:23.003Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T18:57:23.003Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--56672ea4-cbf0-4a3e-8aed-edcc7d33133b.json b/ics-attack/relationship/relationship--56672ea4-cbf0-4a3e-8aed-edcc7d33133b.json index 62a23eba6d..6fb2908e0b 100644 --- a/ics-attack/relationship/relationship--56672ea4-cbf0-4a3e-8aed-edcc7d33133b.json +++ b/ics-attack/relationship/relationship--56672ea4-cbf0-4a3e-8aed-edcc7d33133b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a23e3aec-cdf6-4090-8a22-5a161e685995", + "id": "bundle--11bc0aa4-1a20-49fa-b033-a41e3d8b9b17", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--56896f6b-27fe-4396-bfea-d3c1a7580b18.json b/ics-attack/relationship/relationship--56896f6b-27fe-4396-bfea-d3c1a7580b18.json index 5667aa99da..ccafc9e951 100644 --- a/ics-attack/relationship/relationship--56896f6b-27fe-4396-bfea-d3c1a7580b18.json +++ b/ics-attack/relationship/relationship--56896f6b-27fe-4396-bfea-d3c1a7580b18.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3f26ac47-8a31-4a77-b702-6915edabc18b", + "id": "bundle--99a18a94-a0f8-48f7-af44-fb3edb93e520", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--56896f6b-27fe-4396-bfea-d3c1a7580b18", "created": "2023-09-29T18:05:18.147Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:29.624Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--37f69c20-9158-4091-88dd-fc42b85de265.json b/ics-attack/relationship/relationship--56a561d2-5230-4456-99b5-989dbeac715c.json similarity index 78% rename from ics-attack/relationship/relationship--37f69c20-9158-4091-88dd-fc42b85de265.json rename to ics-attack/relationship/relationship--56a561d2-5230-4456-99b5-989dbeac715c.json index e18639c9a7..329d3acbfc 100644 --- a/ics-attack/relationship/relationship--37f69c20-9158-4091-88dd-fc42b85de265.json +++ b/ics-attack/relationship/relationship--56a561d2-5230-4456-99b5-989dbeac715c.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--085ac86b-a850-42dd-a09d-39882b4ab481", + "id": "bundle--2f32e543-bb18-48d3-8adc-a0ea22ec64c6", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--37f69c20-9158-4091-88dd-fc42b85de265", + "id": "relationship--56a561d2-5230-4456-99b5-989dbeac715c", "created": "2025-09-24T18:20:10.625Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -14,7 +14,7 @@ ], "modified": "2025-09-24T18:20:10.625Z", "relationship_type": "targets", - "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "source_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "target_ref": "x-mitre-asset--bb141168-ae41-4974-8ece-dc9b63e59237", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, diff --git a/ics-attack/relationship/relationship--56dcc2d7-5243-4a5d-a556-8723642e98a4.json b/ics-attack/relationship/relationship--56dcc2d7-5243-4a5d-a556-8723642e98a4.json index 0b9d0f6152..d344b8e340 100644 --- a/ics-attack/relationship/relationship--56dcc2d7-5243-4a5d-a556-8723642e98a4.json +++ b/ics-attack/relationship/relationship--56dcc2d7-5243-4a5d-a556-8723642e98a4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--73e75ba0-006c-43c9-abaf-52f4d628dcc2", + "id": "bundle--40478f11-5656-47c5-bf65-a4061d083aac", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--56dcc2d7-5243-4a5d-a556-8723642e98a4", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Jos Wetzels January 2018", diff --git a/ics-attack/relationship/relationship--56f22365-3711-468a-8f57-ee4193bf1ee8.json b/ics-attack/relationship/relationship--56f22365-3711-468a-8f57-ee4193bf1ee8.json index eaaf4ede71..0b277269a0 100644 --- a/ics-attack/relationship/relationship--56f22365-3711-468a-8f57-ee4193bf1ee8.json +++ b/ics-attack/relationship/relationship--56f22365-3711-468a-8f57-ee4193bf1ee8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--772794ad-78b8-4bc6-a8b5-bd7dfffb411e", + "id": "bundle--daccb4fe-92e8-4334-bebb-2ece2e32d8d2", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--56f22365-3711-468a-8f57-ee4193bf1ee8", "created": "2025-09-29T21:57:55.280Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88.json b/ics-attack/relationship/relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88.json index 4eb06293d0..3d62fdd7d0 100644 --- a/ics-attack/relationship/relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88.json +++ b/ics-attack/relationship/relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a7a2bbe2-6e1c-42a5-b870-7b01494778fe", + "id": "bundle--1f0ce730-5b18-4d20-b4e7-f08e7bf44701", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--577b53a0-44ff-4cc4-b571-455d61e596c0.json b/ics-attack/relationship/relationship--577b53a0-44ff-4cc4-b571-455d61e596c0.json index cc9dff9a6d..f1b16709e1 100644 --- a/ics-attack/relationship/relationship--577b53a0-44ff-4cc4-b571-455d61e596c0.json +++ b/ics-attack/relationship/relationship--577b53a0-44ff-4cc4-b571-455d61e596c0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d49093f3-10e2-4600-9259-25a0a7cfb8b7", + "id": "bundle--354fb964-ec26-4a4d-b74c-2322ccae30eb", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--577b53a0-44ff-4cc4-b571-455d61e596c0", "created": "2023-09-28T20:27:17.431Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:30.910Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--578117b2-0f4b-4d75-a2dc-3ee45976e616.json b/ics-attack/relationship/relationship--578117b2-0f4b-4d75-a2dc-3ee45976e616.json index df5399d0ad..c0772f48eb 100644 --- a/ics-attack/relationship/relationship--578117b2-0f4b-4d75-a2dc-3ee45976e616.json +++ b/ics-attack/relationship/relationship--578117b2-0f4b-4d75-a2dc-3ee45976e616.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--95df710b-73d8-4648-b208-07139996b9a2", + "id": "bundle--b029f0a1-1d4f-4780-a928-48d3828f86e7", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--578117b2-0f4b-4d75-a2dc-3ee45976e616", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Department of Homeland Security October 2009", diff --git a/ics-attack/relationship/relationship--57abea59-09c3-496f-a6b9-21c6a0cb9b7a.json b/ics-attack/relationship/relationship--57abea59-09c3-496f-a6b9-21c6a0cb9b7a.json new file mode 100644 index 0000000000..a22169206a --- /dev/null +++ b/ics-attack/relationship/relationship--57abea59-09c3-496f-a6b9-21c6a0cb9b7a.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--fdf86e35-d730-499b-8617-9d18f4f0e4b2", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--57abea59-09c3-496f-a6b9-21c6a0cb9b7a", + "created": "2026-04-22T20:17:22.389Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:03:30.830Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used the `nircmd` utility to capture screenshots of systems.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--57e8711a-9aae-4a22-94d4-f4c8a3a8f141.json b/ics-attack/relationship/relationship--57e8711a-9aae-4a22-94d4-f4c8a3a8f141.json index ca93ed45fe..585167f7bc 100644 --- a/ics-attack/relationship/relationship--57e8711a-9aae-4a22-94d4-f4c8a3a8f141.json +++ b/ics-attack/relationship/relationship--57e8711a-9aae-4a22-94d4-f4c8a3a8f141.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--089d1040-fc02-4ea8-a6db-f78d59c2f6fa", + "id": "bundle--a7921304-0ccc-41f2-b57c-fdb298a6869f", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--57e8711a-9aae-4a22-94d4-f4c8a3a8f141", "created": "2023-03-31T18:12:35.414Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "ESET Industroyer", diff --git a/ics-attack/relationship/relationship--57ff803c-0380-4176-bb42-f7bb30e79fec.json b/ics-attack/relationship/relationship--57ff803c-0380-4176-bb42-f7bb30e79fec.json index 739dcf6035..3d344fd892 100644 --- a/ics-attack/relationship/relationship--57ff803c-0380-4176-bb42-f7bb30e79fec.json +++ b/ics-attack/relationship/relationship--57ff803c-0380-4176-bb42-f7bb30e79fec.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--969bcb4f-a42c-4108-a807-1b8d9c88a27e", + "id": "bundle--8192fe4a-66e2-4615-99b1-484a88764dfe", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--57ff803c-0380-4176-bb42-f7bb30e79fec", "created": "2025-09-29T19:58:27.480Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--5804ae3d-0daf-47a5-b026-d42878f55803.json b/ics-attack/relationship/relationship--5804ae3d-0daf-47a5-b026-d42878f55803.json index 199a7c7144..cf98d440b7 100644 --- a/ics-attack/relationship/relationship--5804ae3d-0daf-47a5-b026-d42878f55803.json +++ b/ics-attack/relationship/relationship--5804ae3d-0daf-47a5-b026-d42878f55803.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0d04b71b-2ee3-4171-8720-c8efecf4306e", + "id": "bundle--d1dd26e5-21d2-42a4-ac02-8ac499874b73", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5812613d-e4ef-4201-a717-c7f239daeaf3.json b/ics-attack/relationship/relationship--5812613d-e4ef-4201-a717-c7f239daeaf3.json new file mode 100644 index 0000000000..386671ea04 --- /dev/null +++ b/ics-attack/relationship/relationship--5812613d-e4ef-4201-a717-c7f239daeaf3.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--3d109776-b485-466f-88d4-08b74b149bb9", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--5812613d-e4ef-4201-a717-c7f239daeaf3", + "created": "2026-04-22T22:48:32.057Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:48:32.057Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--bb141168-ae41-4974-8ece-dc9b63e59237", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--58269882-7e8d-4d24-b7a3-dbef6196cb61.json b/ics-attack/relationship/relationship--58269882-7e8d-4d24-b7a3-dbef6196cb61.json index ae4c7fae2d..32e4e2d170 100644 --- a/ics-attack/relationship/relationship--58269882-7e8d-4d24-b7a3-dbef6196cb61.json +++ b/ics-attack/relationship/relationship--58269882-7e8d-4d24-b7a3-dbef6196cb61.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3178a91a-a781-4c39-85a1-3498dddab68a", + "id": "bundle--628033e1-afc1-4265-acbb-8762927ca1ef", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--582aca6c-d421-4c84-89fc-f52e87cc306a.json b/ics-attack/relationship/relationship--582aca6c-d421-4c84-89fc-f52e87cc306a.json new file mode 100644 index 0000000000..af65bdb21e --- /dev/null +++ b/ics-attack/relationship/relationship--582aca6c-d421-4c84-89fc-f52e87cc306a.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--fab3576d-cfc5-4924-ac06-3ce0e9b1a37a", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--582aca6c-d421-4c84-89fc-f52e87cc306a", + "created": "2026-04-22T18:55:28.835Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T18:55:28.835Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--58978012-8185-4a15-9bbc-6bdb33c91039.json b/ics-attack/relationship/relationship--58978012-8185-4a15-9bbc-6bdb33c91039.json new file mode 100644 index 0000000000..88eee900be --- /dev/null +++ b/ics-attack/relationship/relationship--58978012-8185-4a15-9bbc-6bdb33c91039.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--37aa719c-7c4d-4695-9683-7fc06640e587", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--58978012-8185-4a15-9bbc-6bdb33c91039", + "created": "2026-04-20T20:54:16.595Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:16.595Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", + "target_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94.json b/ics-attack/relationship/relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94.json index 133c9b0026..8848e89ca4 100644 --- a/ics-attack/relationship/relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94.json +++ b/ics-attack/relationship/relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1282c7a5-7ac8-476e-9376-6780d7c6d2b4", + "id": "bundle--be8304a4-2c6a-418b-8d96-929782e04b55", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--58a95ec2-0079-4d58-a7ed-02664c1095ba.json b/ics-attack/relationship/relationship--58a95ec2-0079-4d58-a7ed-02664c1095ba.json index 4484d6bdd8..583fcc0590 100644 --- a/ics-attack/relationship/relationship--58a95ec2-0079-4d58-a7ed-02664c1095ba.json +++ b/ics-attack/relationship/relationship--58a95ec2-0079-4d58-a7ed-02664c1095ba.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ef5875a6-e509-49e3-a98c-eb5e3eaf1e47", + "id": "bundle--2b8c29b7-7dc4-4d45-9661-7ab58273bf93", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--58a95ec2-0079-4d58-a7ed-02664c1095ba", "created": "2023-09-28T19:38:03.976Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:32.268Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52.json b/ics-attack/relationship/relationship--58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52.json index 38296ed540..7303e62a99 100644 --- a/ics-attack/relationship/relationship--58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52.json +++ b/ics-attack/relationship/relationship--58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6e73ed9e-35d3-4b44-9915-398bf1d17a2c", + "id": "bundle--10f44099-2101-4711-b306-5e4c1e20d91c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--58edd7e0-7b54-4ac5-8e84-81e2dfb03a71.json b/ics-attack/relationship/relationship--58edd7e0-7b54-4ac5-8e84-81e2dfb03a71.json new file mode 100644 index 0000000000..a8025cbd61 --- /dev/null +++ b/ics-attack/relationship/relationship--58edd7e0-7b54-4ac5-8e84-81e2dfb03a71.json @@ -0,0 +1,42 @@ +{ + "type": "bundle", + "id": "bundle--dccf64a4-38a1-4e28-a56f-05a05e5e6e3c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--58edd7e0-7b54-4ac5-8e84-81e2dfb03a71", + "created": "2026-04-22T22:21:11.962Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "LockerGoga Revisited", + "description": "Joe Slowik. (2020, March 17). Spyware Stealer Locker Wiper: LockerGoga Revisited. Retrieved April 22, 2026.", + "url": "https://www.dragos.com/blog/industry-news/spyware-stealer-locker-wiper-lockergoga-revisited/" + }, + { + "source_name": "Kevin Beaumont", + "description": "Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ", + "url": "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880" + }, + { + "source_name": "Detecting LockerGoga", + "description": "Oleg Kolesnikov and Harshvardhan Parashar. (2019, April 30). Detecting LockerGoga Targeted IT/OT Cyber Sabotage/Ransomware Attacks. Retrieved April 22, 2026.", + "url": "https://www.securonix.com/wp-content/uploads/2021/07/Securonix-Threat-Research-Report-Detecting-LockerGoga.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T18:35:28.172Z", + "description": "[LockerGoga](https://attack.mitre.org/software/S0372) had blocked network communications by disabling all the network interfaces on the system via netsh.exe.(Citation: LockerGoga Revisited)(Citation: Kevin Beaumont)(Citation: Detecting LockerGoga)", + "relationship_type": "uses", + "source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", + "target_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--58f5c89c-7ed2-4e14-ac07-6e95da16e2f1.json b/ics-attack/relationship/relationship--58f5c89c-7ed2-4e14-ac07-6e95da16e2f1.json index f468ee000f..4ded7ccde2 100644 --- a/ics-attack/relationship/relationship--58f5c89c-7ed2-4e14-ac07-6e95da16e2f1.json +++ b/ics-attack/relationship/relationship--58f5c89c-7ed2-4e14-ac07-6e95da16e2f1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--78c396e5-75a8-4919-b117-0f90bcca3217", + "id": "bundle--80ba0501-7aca-4d4e-adee-00ac6e23a9d6", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--58f5c89c-7ed2-4e14-ac07-6e95da16e2f1", "created": "2023-09-28T20:27:33.713Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:32.703Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--58fdcdd1-d3e2-43b4-80a8-8f9ba7f967c2.json b/ics-attack/relationship/relationship--58fdcdd1-d3e2-43b4-80a8-8f9ba7f967c2.json new file mode 100644 index 0000000000..a332b5a1fe --- /dev/null +++ b/ics-attack/relationship/relationship--58fdcdd1-d3e2-43b4-80a8-8f9ba7f967c2.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--85c24cb6-4565-4c47-8322-bc224d367d93", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--58fdcdd1-d3e2-43b4-80a8-8f9ba7f967c2", + "created": "2026-04-22T20:23:50.776Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:23:50.776Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used DynoWiper and built-in commands to destroy data on Mikronika RTUs, Hitachi Relion Protection and Control Relays (IEDs), and HMI workstations.(Citation: CERT Polska)\n\nDuring the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used LazyWiper to destroy data at a manufacturing sector company.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c.json b/ics-attack/relationship/relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c.json index 08c2c0aa98..1c8825a34d 100644 --- a/ics-attack/relationship/relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c.json +++ b/ics-attack/relationship/relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f61d6fca-e255-4ea4-9001-596c5b5bffa0", + "id": "bundle--fe60e00a-ce68-499b-a66c-fec6d306da8d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5914a482-dbb7-429d-96f3-77f0588ac12d.json b/ics-attack/relationship/relationship--5914a482-dbb7-429d-96f3-77f0588ac12d.json index 80443ff56e..53ec51d4bb 100644 --- a/ics-attack/relationship/relationship--5914a482-dbb7-429d-96f3-77f0588ac12d.json +++ b/ics-attack/relationship/relationship--5914a482-dbb7-429d-96f3-77f0588ac12d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--58792a73-c34c-4e45-a5eb-44536b3164c5", + "id": "bundle--c8e36436-bf64-4dee-987d-09edaf32c445", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--591620d3-5549-49db-9080-43f86a68a590.json b/ics-attack/relationship/relationship--591620d3-5549-49db-9080-43f86a68a590.json index 05d69d2ced..59856fcf63 100644 --- a/ics-attack/relationship/relationship--591620d3-5549-49db-9080-43f86a68a590.json +++ b/ics-attack/relationship/relationship--591620d3-5549-49db-9080-43f86a68a590.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8765aa84-8b54-4d90-a62f-f4661a05113d", + "id": "bundle--1da4760c-041a-4c79-a3dc-d58cff57504b", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--591620d3-5549-49db-9080-43f86a68a590", "created": "2021-04-13T12:08:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "DHS CISA February 2019", diff --git a/ics-attack/relationship/relationship--5916d742-2fcf-4421-b3c1-e4370cabfa13.json b/ics-attack/relationship/relationship--5916d742-2fcf-4421-b3c1-e4370cabfa13.json new file mode 100644 index 0000000000..68aa95fd73 --- /dev/null +++ b/ics-attack/relationship/relationship--5916d742-2fcf-4421-b3c1-e4370cabfa13.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--130ff4cd-2f1d-41c7-9e36-5c2281c24093", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--5916d742-2fcf-4421-b3c1-e4370cabfa13", + "created": "2026-04-22T18:57:02.202Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T18:57:02.202Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--5924f411-11f0-4ac9-94b5-0f8dec844999.json b/ics-attack/relationship/relationship--5924f411-11f0-4ac9-94b5-0f8dec844999.json index aa9729e06d..e53a63b5c9 100644 --- a/ics-attack/relationship/relationship--5924f411-11f0-4ac9-94b5-0f8dec844999.json +++ b/ics-attack/relationship/relationship--5924f411-11f0-4ac9-94b5-0f8dec844999.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--69eb7aba-47f3-47fa-ba4c-aa0980e3e3bb", + "id": "bundle--e4043cac-5c0f-44fb-a9f2-0f74c734da11", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--5924f411-11f0-4ac9-94b5-0f8dec844999", "created": "2025-09-29T19:51:26.488Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--59685dcb-3076-4171-b43f-0ddca6555dc0.json b/ics-attack/relationship/relationship--59685dcb-3076-4171-b43f-0ddca6555dc0.json new file mode 100644 index 0000000000..4316f8d1ac --- /dev/null +++ b/ics-attack/relationship/relationship--59685dcb-3076-4171-b43f-0ddca6555dc0.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--6b1ae641-39bd-4872-9f4d-1462a45e85a6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--59685dcb-3076-4171-b43f-0ddca6555dc0", + "created": "2026-04-23T14:30:09.007Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T14:30:09.007Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can modified program logic on Omron PLCs using either the program download or backup transfer functions available through the HTTP server.(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--5968cbde-b3da-46df-a8bd-a30c2d85363b.json b/ics-attack/relationship/relationship--5968cbde-b3da-46df-a8bd-a30c2d85363b.json index 01d0e218a5..71aa05d380 100644 --- a/ics-attack/relationship/relationship--5968cbde-b3da-46df-a8bd-a30c2d85363b.json +++ b/ics-attack/relationship/relationship--5968cbde-b3da-46df-a8bd-a30c2d85363b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--be873d16-f415-4bcf-8b7a-2a2af2bb8f89", + "id": "bundle--1b4f828c-ede2-4314-a1e8-45bb208f767a", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--5968cbde-b3da-46df-a8bd-a30c2d85363b", "created": "2023-09-28T21:28:21.910Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:33.839Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--598386c1-778c-41b7-af1e-e0947651f4ca.json b/ics-attack/relationship/relationship--598386c1-778c-41b7-af1e-e0947651f4ca.json new file mode 100644 index 0000000000..efb1f6ea18 --- /dev/null +++ b/ics-attack/relationship/relationship--598386c1-778c-41b7-af1e-e0947651f4ca.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--0ce5d9ec-a5c7-45cd-8df6-80ba44f123aa", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--598386c1-778c-41b7-af1e-e0947651f4ca", + "created": "2026-04-23T00:27:58.043Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T20:12:29.219Z", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.(Citation: Department of Homeland Security September 2016)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--59b53303-e4df-49ec-8e5a-812f2b4265a8.json b/ics-attack/relationship/relationship--59b53303-e4df-49ec-8e5a-812f2b4265a8.json index ba7cf9527b..e87afd78b7 100644 --- a/ics-attack/relationship/relationship--59b53303-e4df-49ec-8e5a-812f2b4265a8.json +++ b/ics-attack/relationship/relationship--59b53303-e4df-49ec-8e5a-812f2b4265a8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d7672889-da51-424e-a025-8b1c06fa6e3e", + "id": "bundle--d511af8e-09c4-4f8c-bc75-4e9bdf7d75dc", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--59b53303-e4df-49ec-8e5a-812f2b4265a8", "created": "2023-09-29T17:09:25.690Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:34.042Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", diff --git a/ics-attack/relationship/relationship--59cb471f-ad8b-464f-ab8f-c267f329b0dc.json b/ics-attack/relationship/relationship--59cb471f-ad8b-464f-ab8f-c267f329b0dc.json index e9febe36c5..28df3c9054 100644 --- a/ics-attack/relationship/relationship--59cb471f-ad8b-464f-ab8f-c267f329b0dc.json +++ b/ics-attack/relationship/relationship--59cb471f-ad8b-464f-ab8f-c267f329b0dc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bfcbaf38-b052-446e-b97d-679d701b1197", + "id": "bundle--44bf9782-7c40-4d5b-9393-4084f5cced27", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--59cb471f-ad8b-464f-ab8f-c267f329b0dc", "created": "2023-03-10T20:30:43.206Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Marshall Abrams July 2008", diff --git a/ics-attack/relationship/relationship--5a43a422-4235-44b8-87e4-bc82e83d44f3.json b/ics-attack/relationship/relationship--5a43a422-4235-44b8-87e4-bc82e83d44f3.json index 048ae8d70f..b03780859a 100644 --- a/ics-attack/relationship/relationship--5a43a422-4235-44b8-87e4-bc82e83d44f3.json +++ b/ics-attack/relationship/relationship--5a43a422-4235-44b8-87e4-bc82e83d44f3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9eff186f-93c5-425e-8596-1512564c7159", + "id": "bundle--4a0767e8-ec35-4fb4-b231-b55219c92062", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--5a43a422-4235-44b8-87e4-bc82e83d44f3", "created": "2025-09-24T18:13:43.955Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--5a96d5e3-4c95-4312-a43a-b986d9bb5781.json b/ics-attack/relationship/relationship--5a96d5e3-4c95-4312-a43a-b986d9bb5781.json new file mode 100644 index 0000000000..776ead46cc --- /dev/null +++ b/ics-attack/relationship/relationship--5a96d5e3-4c95-4312-a43a-b986d9bb5781.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--9d7f5260-98a0-4af0-90d8-f9c51d0bb37e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--5a96d5e3-4c95-4312-a43a-b986d9bb5781", + "created": "2026-04-22T22:50:54.223Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:50:54.223Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--5a97008b-c23b-4890-ba76-c30cf2a18fba.json b/ics-attack/relationship/relationship--5a97008b-c23b-4890-ba76-c30cf2a18fba.json index 7a29d17b4f..15735ee5e7 100644 --- a/ics-attack/relationship/relationship--5a97008b-c23b-4890-ba76-c30cf2a18fba.json +++ b/ics-attack/relationship/relationship--5a97008b-c23b-4890-ba76-c30cf2a18fba.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8b32e392-263f-401f-be7e-b881396d048f", + "id": "bundle--f455f2d4-ef0d-4d8c-86f1-6ae045437415", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--5a97008b-c23b-4890-ba76-c30cf2a18fba", "created": "2023-09-28T20:07:36.295Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:35.030Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--5adfe50f-938b-4d8e-885d-0c0ebf43bdcd.json b/ics-attack/relationship/relationship--5adfe50f-938b-4d8e-885d-0c0ebf43bdcd.json index 8a943779d7..6f96a5baed 100644 --- a/ics-attack/relationship/relationship--5adfe50f-938b-4d8e-885d-0c0ebf43bdcd.json +++ b/ics-attack/relationship/relationship--5adfe50f-938b-4d8e-885d-0c0ebf43bdcd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--780f9e7e-62c2-45db-9498-8176f7334bd9", + "id": "bundle--7b9b51b3-6139-48bd-8966-4e9c4fdd712b", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--5adfe50f-938b-4d8e-885d-0c0ebf43bdcd", "created": "2025-09-24T18:21:38.152Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757.json b/ics-attack/relationship/relationship--5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757.json index f14eef634a..93706af1be 100644 --- a/ics-attack/relationship/relationship--5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757.json +++ b/ics-attack/relationship/relationship--5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3bcf17e8-c7d0-4043-9e72-40f11f674608", + "id": "bundle--7c78706c-0241-4e9a-8986-cc30b8103328", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ac933d76-8207-4bf7-add2-92b60cf3044b.json b/ics-attack/relationship/relationship--5ae382ac-27c6-480a-9269-241751553c52.json similarity index 71% rename from ics-attack/relationship/relationship--ac933d76-8207-4bf7-add2-92b60cf3044b.json rename to ics-attack/relationship/relationship--5ae382ac-27c6-480a-9269-241751553c52.json index a2042e95f9..652b6bc933 100644 --- a/ics-attack/relationship/relationship--ac933d76-8207-4bf7-add2-92b60cf3044b.json +++ b/ics-attack/relationship/relationship--5ae382ac-27c6-480a-9269-241751553c52.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--e26e873c-cb4b-47a5-9b88-8287a7f865ff", + "id": "bundle--ca2d2992-1db9-46c6-9de3-d257db020ce9", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--ac933d76-8207-4bf7-add2-92b60cf3044b", + "id": "relationship--5ae382ac-27c6-480a-9269-241751553c52", "created": "2023-09-28T20:04:54.213Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:07.564Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--5b060600-e8b8-4dd8-8ed7-aadbccb8e2a8.json b/ics-attack/relationship/relationship--5b060600-e8b8-4dd8-8ed7-aadbccb8e2a8.json new file mode 100644 index 0000000000..e940047141 --- /dev/null +++ b/ics-attack/relationship/relationship--5b060600-e8b8-4dd8-8ed7-aadbccb8e2a8.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--7474794e-ab8f-4729-8b6a-7e82017fb51f", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--5b060600-e8b8-4dd8-8ed7-aadbccb8e2a8", + "created": "2026-04-22T16:04:28.120Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:52:40.357Z", + "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--5b14c813-09e2-4709-ab42-94830cf9538c.json b/ics-attack/relationship/relationship--5b14c813-09e2-4709-ab42-94830cf9538c.json index 109195c647..cf64ed2ce4 100644 --- a/ics-attack/relationship/relationship--5b14c813-09e2-4709-ab42-94830cf9538c.json +++ b/ics-attack/relationship/relationship--5b14c813-09e2-4709-ab42-94830cf9538c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6523b7ff-6046-423a-91f0-f8a7d84c1da5", + "id": "bundle--0145e9e3-06df-4815-9874-6053b407ca05", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--5b14c813-09e2-4709-ab42-94830cf9538c", "created": "2023-09-29T18:42:39.876Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:35.448Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--5b701c8d-374a-4a6b-a695-b5c7a747ceb2.json b/ics-attack/relationship/relationship--5b701c8d-374a-4a6b-a695-b5c7a747ceb2.json index 44dc00e590..f7dba87bdc 100644 --- a/ics-attack/relationship/relationship--5b701c8d-374a-4a6b-a695-b5c7a747ceb2.json +++ b/ics-attack/relationship/relationship--5b701c8d-374a-4a6b-a695-b5c7a747ceb2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--06865596-b368-491e-8430-94e26426eb0e", + "id": "bundle--e1586811-3b9f-4fb5-854e-281cebd26faa", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--5b701c8d-374a-4a6b-a695-b5c7a747ceb2", "created": "2024-11-20T23:09:31.950Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos FROSTYGOOP 2024", diff --git a/ics-attack/relationship/relationship--5bad41f1-7a3f-42c6-9b9d-6975212697e2.json b/ics-attack/relationship/relationship--5bad41f1-7a3f-42c6-9b9d-6975212697e2.json index 0600927b11..8b1218e21c 100644 --- a/ics-attack/relationship/relationship--5bad41f1-7a3f-42c6-9b9d-6975212697e2.json +++ b/ics-attack/relationship/relationship--5bad41f1-7a3f-42c6-9b9d-6975212697e2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cef9d41d-bf56-438c-a39e-3865927d6b8b", + "id": "bundle--983531c4-ae47-40bf-9a05-a68d9c0204e0", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--5bad41f1-7a3f-42c6-9b9d-6975212697e2", "created": "2025-09-29T21:59:28.930Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--5bb313a8-8407-4ec1-a4b0-683ded7f3302.json b/ics-attack/relationship/relationship--5bb313a8-8407-4ec1-a4b0-683ded7f3302.json index 6581d39930..6fdac0a5ac 100644 --- a/ics-attack/relationship/relationship--5bb313a8-8407-4ec1-a4b0-683ded7f3302.json +++ b/ics-attack/relationship/relationship--5bb313a8-8407-4ec1-a4b0-683ded7f3302.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--809c83e3-c7c0-4629-b058-916408b306a3", + "id": "bundle--29219f9a-3898-4769-a8cb-2326181ea7de", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--5bb313a8-8407-4ec1-a4b0-683ded7f3302", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", diff --git a/ics-attack/relationship/relationship--7205e59d-c09a-4b06-b1fc-cee61ef8344d.json b/ics-attack/relationship/relationship--5bd2b468-10de-4346-80f0-f46f25707069.json similarity index 78% rename from ics-attack/relationship/relationship--7205e59d-c09a-4b06-b1fc-cee61ef8344d.json rename to ics-attack/relationship/relationship--5bd2b468-10de-4346-80f0-f46f25707069.json index 4e26cf3ef4..2770ce2148 100644 --- a/ics-attack/relationship/relationship--7205e59d-c09a-4b06-b1fc-cee61ef8344d.json +++ b/ics-attack/relationship/relationship--5bd2b468-10de-4346-80f0-f46f25707069.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--39dc6649-4fdc-41cb-abdc-93b13ca94c00", + "id": "bundle--a8b53677-6c42-4efc-b1c1-fb7f0967581a", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--7205e59d-c09a-4b06-b1fc-cee61ef8344d", + "id": "relationship--5bd2b468-10de-4346-80f0-f46f25707069", "created": "2025-09-29T19:15:19.909Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -14,7 +14,7 @@ ], "modified": "2025-09-29T19:15:19.909Z", "relationship_type": "targets", - "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "source_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, diff --git a/ics-attack/relationship/relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad.json b/ics-attack/relationship/relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad.json index 7843b0b7cb..6e05bd39c6 100644 --- a/ics-attack/relationship/relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad.json +++ b/ics-attack/relationship/relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--719cc77c-27ff-48b6-9f90-74da54809310", + "id": "bundle--376f063b-9121-4d7f-b351-17838e5df725", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5beda54d-cd1f-491b-a85e-d7618a0683ad.json b/ics-attack/relationship/relationship--5beda54d-cd1f-491b-a85e-d7618a0683ad.json index 43a432ef5a..46f0783e92 100644 --- a/ics-attack/relationship/relationship--5beda54d-cd1f-491b-a85e-d7618a0683ad.json +++ b/ics-attack/relationship/relationship--5beda54d-cd1f-491b-a85e-d7618a0683ad.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f3d2fecc-7579-44d4-a8ef-2cae08f48159", + "id": "bundle--265b91b4-7dec-46e6-b8b5-cb2a3e51e4f1", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--5beda54d-cd1f-491b-a85e-d7618a0683ad", "created": "2024-03-28T14:28:10.742Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "FireEye TRITON Dec 2017", diff --git a/ics-attack/relationship/relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d.json b/ics-attack/relationship/relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d.json index 05f4c1150a..1ef1448366 100644 --- a/ics-attack/relationship/relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d.json +++ b/ics-attack/relationship/relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--813fdfdb-f4f0-4b05-aa6e-2669a869e8e9", + "id": "bundle--7906eb05-697a-41e1-b60b-25132070ee51", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--4508bdef-9528-47ae-804c-bc59d1e694e7.json b/ics-attack/relationship/relationship--5bfb710a-02bb-4c4a-8f4a-8a7fe66c453f.json similarity index 71% rename from ics-attack/relationship/relationship--4508bdef-9528-47ae-804c-bc59d1e694e7.json rename to ics-attack/relationship/relationship--5bfb710a-02bb-4c4a-8f4a-8a7fe66c453f.json index a5f3aa1d8c..87a9f93705 100644 --- a/ics-attack/relationship/relationship--4508bdef-9528-47ae-804c-bc59d1e694e7.json +++ b/ics-attack/relationship/relationship--5bfb710a-02bb-4c4a-8f4a-8a7fe66c453f.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--07bd6597-6f28-40df-8d6e-ce3615f384bc", + "id": "bundle--43e33947-8dbf-411e-bd67-187e58fe6233", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--4508bdef-9528-47ae-804c-bc59d1e694e7", + "id": "relationship--5bfb710a-02bb-4c4a-8f4a-8a7fe66c453f", "created": "2023-09-28T20:02:35.354Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:11.638Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "source_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--5c47a389-30fb-4d42-935d-282c29b67feb.json b/ics-attack/relationship/relationship--5c47a389-30fb-4d42-935d-282c29b67feb.json index d2bbca84c8..07bf260814 100644 --- a/ics-attack/relationship/relationship--5c47a389-30fb-4d42-935d-282c29b67feb.json +++ b/ics-attack/relationship/relationship--5c47a389-30fb-4d42-935d-282c29b67feb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e163143f-aa28-48f2-a006-bc1dd3e63a86", + "id": "bundle--cd6ee6d7-43eb-40be-bcfc-a71c3ef6cd56", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--5c47a389-30fb-4d42-935d-282c29b67feb", "created": "2025-09-29T19:32:38.792Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--5c4add91-8956-4d66-a5e9-d17e7ee92cfb.json b/ics-attack/relationship/relationship--5c4add91-8956-4d66-a5e9-d17e7ee92cfb.json index 213cd96d15..dcf58ffe65 100644 --- a/ics-attack/relationship/relationship--5c4add91-8956-4d66-a5e9-d17e7ee92cfb.json +++ b/ics-attack/relationship/relationship--5c4add91-8956-4d66-a5e9-d17e7ee92cfb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a996e277-7321-45a2-a659-10937ccea46d", + "id": "bundle--4d9d0dbc-01e9-41c9-9171-7aaa55f8f7f7", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--5c4add91-8956-4d66-a5e9-d17e7ee92cfb", "created": "2025-09-29T19:25:44.519Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--5c61c8a2-bfff-43fb-8397-bff864413d74.json b/ics-attack/relationship/relationship--5c61c8a2-bfff-43fb-8397-bff864413d74.json index ab47ddcc95..d70370dd92 100644 --- a/ics-attack/relationship/relationship--5c61c8a2-bfff-43fb-8397-bff864413d74.json +++ b/ics-attack/relationship/relationship--5c61c8a2-bfff-43fb-8397-bff864413d74.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7c2cf2c1-2126-43ce-9897-429cddc41614", + "id": "bundle--76d208f7-f626-4a99-88f9-9d97f34ee78a", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--5c61c8a2-bfff-43fb-8397-bff864413d74", "created": "2023-09-29T17:06:09.673Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:36.954Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", diff --git a/ics-attack/relationship/relationship--5c8c8976-2cac-4185-9719-ef55c1032d6a.json b/ics-attack/relationship/relationship--5c8c8976-2cac-4185-9719-ef55c1032d6a.json index de0304bfed..aa0bd7397d 100644 --- a/ics-attack/relationship/relationship--5c8c8976-2cac-4185-9719-ef55c1032d6a.json +++ b/ics-attack/relationship/relationship--5c8c8976-2cac-4185-9719-ef55c1032d6a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1455e2d0-be4c-4828-bd41-06050f9fcecc", + "id": "bundle--7706a0c3-e3ff-4b21-aa77-b3d76c805b1f", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--5c8c8976-2cac-4185-9719-ef55c1032d6a", "created": "2024-11-20T23:06:24.432Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos FROSTYGOOP 2024", diff --git a/ics-attack/relationship/relationship--5ca1d677-b41f-4f1e-b86b-f5637a418829.json b/ics-attack/relationship/relationship--5ca1d677-b41f-4f1e-b86b-f5637a418829.json index 4788be7cff..60d93d9a16 100644 --- a/ics-attack/relationship/relationship--5ca1d677-b41f-4f1e-b86b-f5637a418829.json +++ b/ics-attack/relationship/relationship--5ca1d677-b41f-4f1e-b86b-f5637a418829.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c2ca1a64-ee75-4037-a2df-e4e526e4863b", + "id": "bundle--38bdadc0-6d5a-4dfc-b045-2bad85c08863", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d.json b/ics-attack/relationship/relationship--5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d.json index d48060c21c..89174e7d72 100644 --- a/ics-attack/relationship/relationship--5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d.json +++ b/ics-attack/relationship/relationship--5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--274a2c16-e1ef-4eec-af3e-3e1e6a5113d0", + "id": "bundle--47e3d355-553a-420f-8907-b80caa460459", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5d33de22-35b0-47fa-bc63-f984522340b7.json b/ics-attack/relationship/relationship--5d33de22-35b0-47fa-bc63-f984522340b7.json index 551f220774..d8345ce7c4 100644 --- a/ics-attack/relationship/relationship--5d33de22-35b0-47fa-bc63-f984522340b7.json +++ b/ics-attack/relationship/relationship--5d33de22-35b0-47fa-bc63-f984522340b7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2c4d1142-14a0-4c0e-bd86-1984430b63c7", + "id": "bundle--02dd7eb9-5866-4cbc-8ce6-01c6003c2521", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5d4f6aff-650c-45fe-a9d8-2080d3ea02d7.json b/ics-attack/relationship/relationship--5d4f6aff-650c-45fe-a9d8-2080d3ea02d7.json index 90358a1390..131ee0a25e 100644 --- a/ics-attack/relationship/relationship--5d4f6aff-650c-45fe-a9d8-2080d3ea02d7.json +++ b/ics-attack/relationship/relationship--5d4f6aff-650c-45fe-a9d8-2080d3ea02d7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7ac6833a-a00d-4b77-b114-364629701c97", + "id": "bundle--c8b99586-ad0a-4401-88c6-c0177bd1a636", "spec_version": "2.0", "objects": [ { @@ -8,18 +8,17 @@ "id": "relationship--5d4f6aff-650c-45fe-a9d8-2080d3ea02d7", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:02:38.316Z", - "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", + "modified": "2025-12-24T17:46:20.771Z", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--5d788a27-a1ba-4f22-aa03-b43875d6ace1.json b/ics-attack/relationship/relationship--5d788a27-a1ba-4f22-aa03-b43875d6ace1.json new file mode 100644 index 0000000000..9ee47f4233 --- /dev/null +++ b/ics-attack/relationship/relationship--5d788a27-a1ba-4f22-aa03-b43875d6ace1.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--8ab7f477-8385-4117-998a-22b2f09aac1a", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--5d788a27-a1ba-4f22-aa03-b43875d6ace1", + "created": "2026-04-23T00:03:16.026Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:29:27.421Z", + "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--5d9d7c5d-c455-4bcc-9d2c-80f6746632b9.json b/ics-attack/relationship/relationship--5d9d7c5d-c455-4bcc-9d2c-80f6746632b9.json index 8bccbf2250..ade6a0390a 100644 --- a/ics-attack/relationship/relationship--5d9d7c5d-c455-4bcc-9d2c-80f6746632b9.json +++ b/ics-attack/relationship/relationship--5d9d7c5d-c455-4bcc-9d2c-80f6746632b9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ef8e60cf-e84b-4f42-831f-935ff26cac36", + "id": "bundle--69d8a7c5-c784-408b-8850-90c64cb7b3d1", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--5d9d7c5d-c455-4bcc-9d2c-80f6746632b9", "created": "2025-09-29T19:06:40.704Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--5db3a67e-8a3a-479e-a723-fe0f0c9e3563.json b/ics-attack/relationship/relationship--5db3a67e-8a3a-479e-a723-fe0f0c9e3563.json index 610078e6e9..0ef7ab5883 100644 --- a/ics-attack/relationship/relationship--5db3a67e-8a3a-479e-a723-fe0f0c9e3563.json +++ b/ics-attack/relationship/relationship--5db3a67e-8a3a-479e-a723-fe0f0c9e3563.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--11bd7e66-cb2d-4f56-8dcd-9862566b82b1", + "id": "bundle--3823070e-4bc0-41fc-a934-db29ef284b99", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--5db3a67e-8a3a-479e-a723-fe0f0c9e3563", "created": "2025-09-24T18:03:44.816Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--483719ad-c973-4210-b059-14e87dbd45f8.json b/ics-attack/relationship/relationship--5dcf5ba3-bfa8-4aa4-be5f-e5aea64b3591.json similarity index 71% rename from ics-attack/relationship/relationship--483719ad-c973-4210-b059-14e87dbd45f8.json rename to ics-attack/relationship/relationship--5dcf5ba3-bfa8-4aa4-be5f-e5aea64b3591.json index 22efcdc37e..bb93ceb4e6 100644 --- a/ics-attack/relationship/relationship--483719ad-c973-4210-b059-14e87dbd45f8.json +++ b/ics-attack/relationship/relationship--5dcf5ba3-bfa8-4aa4-be5f-e5aea64b3591.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--55e816f1-5f1f-465c-910c-fae12678ffcd", + "id": "bundle--81361798-5af5-474a-903b-a3d23d4b6296", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--483719ad-c973-4210-b059-14e87dbd45f8", + "id": "relationship--5dcf5ba3-bfa8-4aa4-be5f-e5aea64b3591", "created": "2023-09-28T19:49:43.417Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:15.147Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "source_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--5de6bf53-0a02-439b-a8d0-248fa9640a36.json b/ics-attack/relationship/relationship--5de6bf53-0a02-439b-a8d0-248fa9640a36.json index ce33dfdcfc..318025aca2 100644 --- a/ics-attack/relationship/relationship--5de6bf53-0a02-439b-a8d0-248fa9640a36.json +++ b/ics-attack/relationship/relationship--5de6bf53-0a02-439b-a8d0-248fa9640a36.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--30bbb2f7-b6d6-4aa6-9b99-0b2f68af2f3f", + "id": "bundle--65e99f28-a30d-4349-8678-697fdd923599", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7.json b/ics-attack/relationship/relationship--5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7.json index 9b2a5deb91..ada43fa5c7 100644 --- a/ics-attack/relationship/relationship--5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7.json +++ b/ics-attack/relationship/relationship--5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--003474d3-6d2f-4480-a2e5-1c8f6eb5dd9b", + "id": "bundle--96278bc8-b207-4ed8-860d-f3f2125e3138", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5e099568-fb5c-4f58-af7e-4e1b7a9d1128.json b/ics-attack/relationship/relationship--5e099568-fb5c-4f58-af7e-4e1b7a9d1128.json index 86f388dddd..a73667e792 100644 --- a/ics-attack/relationship/relationship--5e099568-fb5c-4f58-af7e-4e1b7a9d1128.json +++ b/ics-attack/relationship/relationship--5e099568-fb5c-4f58-af7e-4e1b7a9d1128.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6cfa4e4c-2f40-4d71-b30b-7af63ecb80e8", + "id": "bundle--5b031212-069c-499f-bd71-da227932e01b", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--5e099568-fb5c-4f58-af7e-4e1b7a9d1128", "created": "2021-04-12T18:49:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Tom Fakterman August 2019", diff --git a/ics-attack/relationship/relationship--5e324da5-0fee-4dac-b289-410d560e03e9.json b/ics-attack/relationship/relationship--5e324da5-0fee-4dac-b289-410d560e03e9.json index 0ac9358d9f..2dda8a78b8 100644 --- a/ics-attack/relationship/relationship--5e324da5-0fee-4dac-b289-410d560e03e9.json +++ b/ics-attack/relationship/relationship--5e324da5-0fee-4dac-b289-410d560e03e9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6b294f76-b9f7-4a65-92a4-9209efd6afa9", + "id": "bundle--dd86a00b-c600-4d6a-ad64-66c73a4ee05e", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--5e324da5-0fee-4dac-b289-410d560e03e9", "created": "2023-09-28T19:46:49.255Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:39.172Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--5ebb309c-98a9-415a-8c22-2308f69a19b0.json b/ics-attack/relationship/relationship--5ebb309c-98a9-415a-8c22-2308f69a19b0.json new file mode 100644 index 0000000000..34e0aa85c1 --- /dev/null +++ b/ics-attack/relationship/relationship--5ebb309c-98a9-415a-8c22-2308f69a19b0.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--737188f9-25f8-4144-bed3-562fbc530b06", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--5ebb309c-98a9-415a-8c22-2308f69a19b0", + "created": "2026-04-22T21:42:11.042Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:42:11.042Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--5ee01089-2ab6-4cf5-a39d-adf72666eceb.json b/ics-attack/relationship/relationship--5ee01089-2ab6-4cf5-a39d-adf72666eceb.json index 0cb82cc141..83d5270320 100644 --- a/ics-attack/relationship/relationship--5ee01089-2ab6-4cf5-a39d-adf72666eceb.json +++ b/ics-attack/relationship/relationship--5ee01089-2ab6-4cf5-a39d-adf72666eceb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a2fe2287-192f-4386-aa84-8e639519868f", + "id": "bundle--3f5d2633-29d1-43cb-aa39-5dfe8748d067", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--5ee01089-2ab6-4cf5-a39d-adf72666eceb", "created": "2023-09-28T20:16:28.582Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:39.400Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--5f03ee5d-534c-454c-aae3-b41130b00286.json b/ics-attack/relationship/relationship--5f03ee5d-534c-454c-aae3-b41130b00286.json index 81d4247da6..a9e8362f42 100644 --- a/ics-attack/relationship/relationship--5f03ee5d-534c-454c-aae3-b41130b00286.json +++ b/ics-attack/relationship/relationship--5f03ee5d-534c-454c-aae3-b41130b00286.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e39474f3-1f8e-444f-b195-20103624d8c1", + "id": "bundle--488a48c4-7463-479c-9b99-6c009cbfa7f1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--17fdec71-98e8-4314-a1be-037edede58bd.json b/ics-attack/relationship/relationship--5f4badb1-5583-4101-84e4-5b6ebdb0c463.json similarity index 81% rename from ics-attack/relationship/relationship--17fdec71-98e8-4314-a1be-037edede58bd.json rename to ics-attack/relationship/relationship--5f4badb1-5583-4101-84e4-5b6ebdb0c463.json index e869f6807e..899ce47c41 100644 --- a/ics-attack/relationship/relationship--17fdec71-98e8-4314-a1be-037edede58bd.json +++ b/ics-attack/relationship/relationship--5f4badb1-5583-4101-84e4-5b6ebdb0c463.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--74b7b5f1-ed16-4ff7-b0f7-ea669c1d7bc2", + "id": "bundle--4d72b32c-e530-4412-ba35-55c13aa9cef3", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--17fdec71-98e8-4314-a1be-037edede58bd", + "id": "relationship--5f4badb1-5583-4101-84e4-5b6ebdb0c463", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -16,10 +16,10 @@ "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", "relationship_type": "mitigates", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--5f57e37e-fa3e-4cb6-973e-7e69f61a65c2.json b/ics-attack/relationship/relationship--5f57e37e-fa3e-4cb6-973e-7e69f61a65c2.json index 66c0771337..a4299a4363 100644 --- a/ics-attack/relationship/relationship--5f57e37e-fa3e-4cb6-973e-7e69f61a65c2.json +++ b/ics-attack/relationship/relationship--5f57e37e-fa3e-4cb6-973e-7e69f61a65c2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--020a2b68-4248-4942-9200-d74e25ec5681", + "id": "bundle--16605d79-b746-42ca-81fb-f970cd4d100e", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--5f57e37e-fa3e-4cb6-973e-7e69f61a65c2", "created": "2025-09-24T18:24:03.660Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--5f5c38f6-aa3e-4447-a2d3-a76830ab36b0.json b/ics-attack/relationship/relationship--5f5c38f6-aa3e-4447-a2d3-a76830ab36b0.json index acc7d655aa..236873a9d9 100644 --- a/ics-attack/relationship/relationship--5f5c38f6-aa3e-4447-a2d3-a76830ab36b0.json +++ b/ics-attack/relationship/relationship--5f5c38f6-aa3e-4447-a2d3-a76830ab36b0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7ceee9eb-0027-4b5e-885f-b0f6ab56ba8a", + "id": "bundle--f4ded346-08c9-479a-9de6-952553455141", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--5f5c38f6-aa3e-4447-a2d3-a76830ab36b0", "created": "2023-09-25T20:49:49.605Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--5fd9eaf1-7517-4110-9df1-1e0374a924a9.json b/ics-attack/relationship/relationship--5fd9eaf1-7517-4110-9df1-1e0374a924a9.json new file mode 100644 index 0000000000..bb0d8bc05f --- /dev/null +++ b/ics-attack/relationship/relationship--5fd9eaf1-7517-4110-9df1-1e0374a924a9.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--dff7fe56-ace6-4f0b-9e8b-e0e95d2dd6be", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--5fd9eaf1-7517-4110-9df1-1e0374a924a9", + "created": "2026-04-22T20:39:13.266Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:39:13.266Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--bb141168-ae41-4974-8ece-dc9b63e59237", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--604a9bf0-81a3-425b-9005-779c4f0f749d.json b/ics-attack/relationship/relationship--604a9bf0-81a3-425b-9005-779c4f0f749d.json index 944a24659f..6317c5120a 100644 --- a/ics-attack/relationship/relationship--604a9bf0-81a3-425b-9005-779c4f0f749d.json +++ b/ics-attack/relationship/relationship--604a9bf0-81a3-425b-9005-779c4f0f749d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--349f53ad-c55c-4c4d-b076-5ea71d124d07", + "id": "bundle--2a558a6c-8dac-4cb1-8b9d-536cd55bf67b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--604e1830-11ac-4ccf-a1d0-b22b80c1b024.json b/ics-attack/relationship/relationship--604e1830-11ac-4ccf-a1d0-b22b80c1b024.json index bded60b196..5572eaae99 100644 --- a/ics-attack/relationship/relationship--604e1830-11ac-4ccf-a1d0-b22b80c1b024.json +++ b/ics-attack/relationship/relationship--604e1830-11ac-4ccf-a1d0-b22b80c1b024.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f28edd30-de42-409b-9c7c-6094e4cfd7e3", + "id": "bundle--f3585443-42dc-4cf6-82cf-d5551587a5fd", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--604e1830-11ac-4ccf-a1d0-b22b80c1b024", "created": "2023-09-29T18:07:18.253Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:40.768Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--648c6649-5861-4b43-a7e5-a9665bafb576.json b/ics-attack/relationship/relationship--605dcc44-9e1c-42a9-bc0f-5dfa81444022.json similarity index 85% rename from ics-attack/relationship/relationship--648c6649-5861-4b43-a7e5-a9665bafb576.json rename to ics-attack/relationship/relationship--605dcc44-9e1c-42a9-bc0f-5dfa81444022.json index 81243012ab..0b18818b5d 100644 --- a/ics-attack/relationship/relationship--648c6649-5861-4b43-a7e5-a9665bafb576.json +++ b/ics-attack/relationship/relationship--605dcc44-9e1c-42a9-bc0f-5dfa81444022.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--c8a517a5-93ba-4ed0-9fe9-c297f0b70007", + "id": "bundle--e58425e6-f7d0-423a-9fe9-b5f7143a2596", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--648c6649-5861-4b43-a7e5-a9665bafb576", + "id": "relationship--605dcc44-9e1c-42a9-bc0f-5dfa81444022", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -23,10 +23,10 @@ "description": "[Industroyer](https://attack.mitre.org/software/S0604) uses the first COM port from the configuration file for the communication and the other two COM ports are opened to prevent other processes accessing them. This may block processes or operators from getting reporting messages from a device. (Citation: Anton Cherepanov, ESET June 2017)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "target_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--605f3853-b007-4134-8a2d-6a81a35e7676.json b/ics-attack/relationship/relationship--605f3853-b007-4134-8a2d-6a81a35e7676.json index 4f98b202c8..df0d956d14 100644 --- a/ics-attack/relationship/relationship--605f3853-b007-4134-8a2d-6a81a35e7676.json +++ b/ics-attack/relationship/relationship--605f3853-b007-4134-8a2d-6a81a35e7676.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--082b4964-1574-44ea-b36b-1461f27dd3d7", + "id": "bundle--5f45005a-19c5-4cd9-9702-3e5ea2fc527c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--605f3853-b007-4134-8a2d-6a81a35e7676", "created": "2023-09-29T18:48:05.559Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:40.983Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--6067c069-8e93-4bf0-bb49-97538d55c3de.json b/ics-attack/relationship/relationship--6067c069-8e93-4bf0-bb49-97538d55c3de.json index 19946eb7e3..3a425d0d38 100644 --- a/ics-attack/relationship/relationship--6067c069-8e93-4bf0-bb49-97538d55c3de.json +++ b/ics-attack/relationship/relationship--6067c069-8e93-4bf0-bb49-97538d55c3de.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d0644eda-7c92-42ac-84ca-616da47d1491", + "id": "bundle--386b1062-77f2-4892-977f-19993e0b5320", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--6067c069-8e93-4bf0-bb49-97538d55c3de", "created": "2024-04-09T20:58:32.884Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:41.206Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--6079656e-d391-4de7-aeff-20c0f00f68c3.json b/ics-attack/relationship/relationship--6079656e-d391-4de7-aeff-20c0f00f68c3.json new file mode 100644 index 0000000000..2ef440967d --- /dev/null +++ b/ics-attack/relationship/relationship--6079656e-d391-4de7-aeff-20c0f00f68c3.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--e3066815-81de-4ce5-961e-e65f2570bd22", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--6079656e-d391-4de7-aeff-20c0f00f68c3", + "created": "2026-04-23T00:27:40.717Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:35:16.431Z", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--60e80053-046c-4f53-b1cb-8778cbda8937.json b/ics-attack/relationship/relationship--60e80053-046c-4f53-b1cb-8778cbda8937.json new file mode 100644 index 0000000000..5904f2cc87 --- /dev/null +++ b/ics-attack/relationship/relationship--60e80053-046c-4f53-b1cb-8778cbda8937.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--f18e8c99-08a4-4857-a374-71c02d579414", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--60e80053-046c-4f53-b1cb-8778cbda8937", + "created": "2026-04-22T18:55:04.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T18:55:04.275Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--610af67a-5e9a-4f10-a88f-d74451e0bac1.json b/ics-attack/relationship/relationship--610af67a-5e9a-4f10-a88f-d74451e0bac1.json index ec150dbc5c..cd915c0a95 100644 --- a/ics-attack/relationship/relationship--610af67a-5e9a-4f10-a88f-d74451e0bac1.json +++ b/ics-attack/relationship/relationship--610af67a-5e9a-4f10-a88f-d74451e0bac1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0c0fd00e-52eb-4fb6-b0ff-4103fa4b2757", + "id": "bundle--f23a985f-d44d-4726-a5da-119fbf029bf7", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--610af67a-5e9a-4f10-a88f-d74451e0bac1", "created": "2025-09-24T18:13:14.589Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--6124eea3-34b1-4829-89b7-d837910515e6.json b/ics-attack/relationship/relationship--6124eea3-34b1-4829-89b7-d837910515e6.json index 8b5d84d171..69c4b904cd 100644 --- a/ics-attack/relationship/relationship--6124eea3-34b1-4829-89b7-d837910515e6.json +++ b/ics-attack/relationship/relationship--6124eea3-34b1-4829-89b7-d837910515e6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5f026e27-998b-4253-b801-2de21b5b0dc5", + "id": "bundle--2a47283a-4641-47e3-bc65-8301293e93dd", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--6124eea3-34b1-4829-89b7-d837910515e6", "created": "2025-09-29T19:54:27.561Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--61668e93-6d9d-418d-9fbd-2d88c3a66544.json b/ics-attack/relationship/relationship--61668e93-6d9d-418d-9fbd-2d88c3a66544.json index 36253e310a..177e28b651 100644 --- a/ics-attack/relationship/relationship--61668e93-6d9d-418d-9fbd-2d88c3a66544.json +++ b/ics-attack/relationship/relationship--61668e93-6d9d-418d-9fbd-2d88c3a66544.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--578ad1ab-ffb2-4f38-81b0-4deb5d831024", + "id": "bundle--0b561bfd-bcff-4165-b84a-9bf1e9e84164", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--61869a8e-d6da-478a-b770-47f97beae8b4.json b/ics-attack/relationship/relationship--61869a8e-d6da-478a-b770-47f97beae8b4.json index 0b650de748..a7641afb4f 100644 --- a/ics-attack/relationship/relationship--61869a8e-d6da-478a-b770-47f97beae8b4.json +++ b/ics-attack/relationship/relationship--61869a8e-d6da-478a-b770-47f97beae8b4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--52423587-fbd5-480f-9e83-c645f66a36fd", + "id": "bundle--d6921a12-d3db-47df-be38-3a65b068251b", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--61869a8e-d6da-478a-b770-47f97beae8b4", "created": "2024-08-15T21:59:43.124Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "NCSC CISA Cyclops Blink Advisory February 2022", diff --git a/ics-attack/relationship/relationship--619b3740-df20-4974-858f-f8067749d7b0.json b/ics-attack/relationship/relationship--619b3740-df20-4974-858f-f8067749d7b0.json new file mode 100644 index 0000000000..b45671f924 --- /dev/null +++ b/ics-attack/relationship/relationship--619b3740-df20-4974-858f-f8067749d7b0.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--d483730c-9b2d-4989-905d-dbdb3fbecf44", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--619b3740-df20-4974-858f-f8067749d7b0", + "created": "2026-04-23T00:05:26.725Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:33:57.609Z", + "description": "Filter for protocols and payloads associated with program download activity to prevent unauthorized device configurations.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6258c355-677c-452d-b1fc-27767232437b.json b/ics-attack/relationship/relationship--6258c355-677c-452d-b1fc-27767232437b.json index b41d317cff..d0a866570a 100644 --- a/ics-attack/relationship/relationship--6258c355-677c-452d-b1fc-27767232437b.json +++ b/ics-attack/relationship/relationship--6258c355-677c-452d-b1fc-27767232437b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6f14d5a0-e89e-4879-bf9a-88019a320045", + "id": "bundle--a29f15bd-7817-4e2a-b938-edee64043b3f", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--6258c355-677c-452d-b1fc-27767232437b", "created": "2019-03-26T16:19:52.358Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Joe Slowik April 2019", diff --git a/ics-attack/relationship/relationship--62abe387-10a2-414b-881c-060b70db2157.json b/ics-attack/relationship/relationship--62abe387-10a2-414b-881c-060b70db2157.json index c1ea9b13d4..79a0ea4788 100644 --- a/ics-attack/relationship/relationship--62abe387-10a2-414b-881c-060b70db2157.json +++ b/ics-attack/relationship/relationship--62abe387-10a2-414b-881c-060b70db2157.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ef2e299a-1e01-44f9-87d5-ec7b801b6ac0", + "id": "bundle--2555b2ea-12d7-41f4-b7ec-fe87286987b4", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--62abe387-10a2-414b-881c-060b70db2157", "created": "2023-09-28T20:08:39.992Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:42.273Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--62e818b8-38e6-42ff-9424-9a327332eb2a.json b/ics-attack/relationship/relationship--62e818b8-38e6-42ff-9424-9a327332eb2a.json index b22b9c3f90..cd5d9d2057 100644 --- a/ics-attack/relationship/relationship--62e818b8-38e6-42ff-9424-9a327332eb2a.json +++ b/ics-attack/relationship/relationship--62e818b8-38e6-42ff-9424-9a327332eb2a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3b8fcda6-c5f0-4a68-8737-84573536e1f7", + "id": "bundle--41dff868-2bb9-4a62-bfd2-2dbbaf06f42f", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--62e818b8-38e6-42ff-9424-9a327332eb2a", "created": "2022-09-29T20:02:37.671Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "ESET Industroyer", diff --git a/ics-attack/relationship/relationship--630eb861-eb37-4258-9dbd-87789df2257a.json b/ics-attack/relationship/relationship--630eb861-eb37-4258-9dbd-87789df2257a.json index f75a898f1f..b319085229 100644 --- a/ics-attack/relationship/relationship--630eb861-eb37-4258-9dbd-87789df2257a.json +++ b/ics-attack/relationship/relationship--630eb861-eb37-4258-9dbd-87789df2257a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--603c73ee-5e55-41ae-9b33-87de2489e4f0", + "id": "bundle--f19063fc-1325-4cd3-a3c4-aa6153c6bd16", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--630eb861-eb37-4258-9dbd-87789df2257a", "created": "2024-03-26T15:41:26.772Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:42.705Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb.json b/ics-attack/relationship/relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb.json index e5676420a8..a16afaa412 100644 --- a/ics-attack/relationship/relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb.json +++ b/ics-attack/relationship/relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f5870b4a-abb1-4ba0-9c2a-4811cde09f1c", + "id": "bundle--8c9efca2-dc2b-4ab0-8ebd-43809e0a9bb6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--63323b12-86db-4b91-a701-90daf3f98f7c.json b/ics-attack/relationship/relationship--63323b12-86db-4b91-a701-90daf3f98f7c.json index 0c496eb81c..42d8902314 100644 --- a/ics-attack/relationship/relationship--63323b12-86db-4b91-a701-90daf3f98f7c.json +++ b/ics-attack/relationship/relationship--63323b12-86db-4b91-a701-90daf3f98f7c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--40cde0ac-5bd5-471e-b1eb-1ead29a5a0c4", + "id": "bundle--ae121833-29ba-476b-85bc-3f3f4b03dc5c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--63453d2f-30f6-40ab-b32c-506d940ecd20.json b/ics-attack/relationship/relationship--63453d2f-30f6-40ab-b32c-506d940ecd20.json index 7c51dca615..b6eeadfdf8 100644 --- a/ics-attack/relationship/relationship--63453d2f-30f6-40ab-b32c-506d940ecd20.json +++ b/ics-attack/relationship/relationship--63453d2f-30f6-40ab-b32c-506d940ecd20.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4d073871-2851-4f95-ba90-2ea1bfb51885", + "id": "bundle--cc49bead-2274-441f-958e-6559c3cad043", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--63453d2f-30f6-40ab-b32c-506d940ecd20", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--636a70d1-dd76-4633-b960-e64459f87299.json b/ics-attack/relationship/relationship--636a70d1-dd76-4633-b960-e64459f87299.json new file mode 100644 index 0000000000..f027082e5e --- /dev/null +++ b/ics-attack/relationship/relationship--636a70d1-dd76-4633-b960-e64459f87299.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--25c78846-2795-4a7c-990c-fa82205de4fd", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--636a70d1-dd76-4633-b960-e64459f87299", + "created": "2026-04-22T22:53:08.394Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:16:43.591Z", + "description": "Ensure systems and devices have an alternative method for communicating in the event that Wi-Fi communication channels become unavailable.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--639148fb-d0a5-4a2f-b6a3-a5ceb83d620b.json b/ics-attack/relationship/relationship--639148fb-d0a5-4a2f-b6a3-a5ceb83d620b.json index e1376a60ca..35306ce81b 100644 --- a/ics-attack/relationship/relationship--639148fb-d0a5-4a2f-b6a3-a5ceb83d620b.json +++ b/ics-attack/relationship/relationship--639148fb-d0a5-4a2f-b6a3-a5ceb83d620b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--29fb1709-4d23-4ebb-ac30-9afb95f8aba8", + "id": "bundle--77cc1dfc-153d-4ba5-bc44-ddadd8ced766", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--639148fb-d0a5-4a2f-b6a3-a5ceb83d620b", "created": "2023-09-29T17:44:55.599Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:43.745Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--63ca148e-12c9-4090-b51e-a8fb7a847a2a.json b/ics-attack/relationship/relationship--63ca148e-12c9-4090-b51e-a8fb7a847a2a.json index e67cf83270..1613f8d94a 100644 --- a/ics-attack/relationship/relationship--63ca148e-12c9-4090-b51e-a8fb7a847a2a.json +++ b/ics-attack/relationship/relationship--63ca148e-12c9-4090-b51e-a8fb7a847a2a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--49b08651-78af-47e2-b636-1484c0ef5bec", + "id": "bundle--cbc2e811-bb53-4caf-9b9e-148a34d9442d", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--63ca148e-12c9-4090-b51e-a8fb7a847a2a", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "DHS CISA February 2019", diff --git a/ics-attack/relationship/relationship--63f863e5-7c00-4474-8e43-bbe8bfb05cc3.json b/ics-attack/relationship/relationship--63f863e5-7c00-4474-8e43-bbe8bfb05cc3.json index 5328af4e9b..a03e667eea 100644 --- a/ics-attack/relationship/relationship--63f863e5-7c00-4474-8e43-bbe8bfb05cc3.json +++ b/ics-attack/relationship/relationship--63f863e5-7c00-4474-8e43-bbe8bfb05cc3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2c6dcd0f-ce71-46b9-be85-bb89439e8453", + "id": "bundle--e105a053-19ad-4f19-aa9e-6cd64739ee9c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--63f863e5-7c00-4474-8e43-bbe8bfb05cc3", "created": "2023-09-29T16:43:05.495Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:44.216Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--909fba0a-f075-402f-8791-388ebd76647e.json b/ics-attack/relationship/relationship--6420b4b9-3536-4a9b-b53d-6780242f38cf.json similarity index 75% rename from ics-attack/relationship/relationship--909fba0a-f075-402f-8791-388ebd76647e.json rename to ics-attack/relationship/relationship--6420b4b9-3536-4a9b-b53d-6780242f38cf.json index f49049789d..b3d05074c3 100644 --- a/ics-attack/relationship/relationship--909fba0a-f075-402f-8791-388ebd76647e.json +++ b/ics-attack/relationship/relationship--6420b4b9-3536-4a9b-b53d-6780242f38cf.json @@ -1,21 +1,21 @@ { "type": "bundle", - "id": "bundle--6879cc85-acc7-40a9-ae2a-31c99a2c1cf3", + "id": "bundle--ca521878-7d91-4fda-ad9a-29258346fce4", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--909fba0a-f075-402f-8791-388ebd76647e", + "id": "relationship--6420b4b9-3536-4a9b-b53d-6780242f38cf", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--de675cf4-144e-485c-a761-c72ebcb9e2bc", - "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "target_ref": "attack-pattern--6b335943-c3af-430e-a135-ab09623bdc20", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" diff --git a/ics-attack/relationship/relationship--6421e980-4f75-4e13-a207-a9583bd28c4a.json b/ics-attack/relationship/relationship--6421e980-4f75-4e13-a207-a9583bd28c4a.json new file mode 100644 index 0000000000..34feafa6cb --- /dev/null +++ b/ics-attack/relationship/relationship--6421e980-4f75-4e13-a207-a9583bd28c4a.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--d93b49bd-fd3a-4bfd-8059-5d6524c347a4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--6421e980-4f75-4e13-a207-a9583bd28c4a", + "created": "2026-04-22T20:42:33.462Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:42:33.462Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--642cae89-bb5c-46f3-9fea-8d747b930c35.json b/ics-attack/relationship/relationship--642cae89-bb5c-46f3-9fea-8d747b930c35.json index 41268c8728..45718f8881 100644 --- a/ics-attack/relationship/relationship--642cae89-bb5c-46f3-9fea-8d747b930c35.json +++ b/ics-attack/relationship/relationship--642cae89-bb5c-46f3-9fea-8d747b930c35.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8b713e6e-2d0f-4eba-8c77-5392e1c00f2a", + "id": "bundle--d25d0af5-908b-4680-ba1e-d72182e91c93", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--642cae89-bb5c-46f3-9fea-8d747b930c35", "created": "2023-03-10T20:11:10.018Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Marshall Abrams July 2008", diff --git a/ics-attack/relationship/relationship--642f4d65-04ea-4662-bc1c-5fba12aa4fc1.json b/ics-attack/relationship/relationship--642f4d65-04ea-4662-bc1c-5fba12aa4fc1.json new file mode 100644 index 0000000000..625cb7a056 --- /dev/null +++ b/ics-attack/relationship/relationship--642f4d65-04ea-4662-bc1c-5fba12aa4fc1.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--6efc8bcc-f332-4307-b7ca-aaf5731c00ec", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--642f4d65-04ea-4662-bc1c-5fba12aa4fc1", + "created": "2026-04-23T16:45:04.370Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T16:45:04.370Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--645d5380-c5e5-4ee6-8ebb-11a0cd44cc08.json b/ics-attack/relationship/relationship--645d5380-c5e5-4ee6-8ebb-11a0cd44cc08.json new file mode 100644 index 0000000000..7ab580fca7 --- /dev/null +++ b/ics-attack/relationship/relationship--645d5380-c5e5-4ee6-8ebb-11a0cd44cc08.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--cd1bae99-abbc-4a02-a3f3-7a08732d277f", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--645d5380-c5e5-4ee6-8ebb-11a0cd44cc08", + "created": "2026-04-23T16:29:09.403Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T16:29:09.403Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--64db6a39-64d2-4999-97d7-91c28c32f42e.json b/ics-attack/relationship/relationship--64db6a39-64d2-4999-97d7-91c28c32f42e.json index 79d4deeafd..65816ee8e3 100644 --- a/ics-attack/relationship/relationship--64db6a39-64d2-4999-97d7-91c28c32f42e.json +++ b/ics-attack/relationship/relationship--64db6a39-64d2-4999-97d7-91c28c32f42e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ac22e3b1-a4ab-4b43-ad70-8c359d0ec18f", + "id": "bundle--b90584c8-b9fb-4fe6-baed-3eb1f5c4c899", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--64f14b30-f71e-4429-b16e-160ae5e346f0.json b/ics-attack/relationship/relationship--64f14b30-f71e-4429-b16e-160ae5e346f0.json index 0a48541ffa..4027f0f031 100644 --- a/ics-attack/relationship/relationship--64f14b30-f71e-4429-b16e-160ae5e346f0.json +++ b/ics-attack/relationship/relationship--64f14b30-f71e-4429-b16e-160ae5e346f0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ce2797d2-5a32-4419-b58f-3821850578eb", + "id": "bundle--0ec02d0c-5249-47cc-ab94-88b7b7eebc67", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--64f14b30-f71e-4429-b16e-160ae5e346f0", "created": "2025-09-24T18:20:25.164Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--8bfeed6a-a0c6-4f11-81b2-f32225c85ac4.json b/ics-attack/relationship/relationship--64f31c4f-a525-469c-8f2f-370dcd321314.json similarity index 71% rename from ics-attack/relationship/relationship--8bfeed6a-a0c6-4f11-81b2-f32225c85ac4.json rename to ics-attack/relationship/relationship--64f31c4f-a525-469c-8f2f-370dcd321314.json index 20a6022966..c439790a5d 100644 --- a/ics-attack/relationship/relationship--8bfeed6a-a0c6-4f11-81b2-f32225c85ac4.json +++ b/ics-attack/relationship/relationship--64f31c4f-a525-469c-8f2f-370dcd321314.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--c9866b4f-0a1c-4680-b745-69ba0e10e655", + "id": "bundle--2df5abea-e098-4724-8542-30d47d2c09bb", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--8bfeed6a-a0c6-4f11-81b2-f32225c85ac4", + "id": "relationship--64f31c4f-a525-469c-8f2f-370dcd321314", "created": "2023-10-02T20:21:16.665Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:35.161Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "source_ref": "attack-pattern--6b335943-c3af-430e-a135-ab09623bdc20", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--650bca94-b9ad-45dd-90c9-83481247711a.json b/ics-attack/relationship/relationship--650bca94-b9ad-45dd-90c9-83481247711a.json index 45a0a6e221..325650a0eb 100644 --- a/ics-attack/relationship/relationship--650bca94-b9ad-45dd-90c9-83481247711a.json +++ b/ics-attack/relationship/relationship--650bca94-b9ad-45dd-90c9-83481247711a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--03d2a173-b29e-4e2d-9665-0cae8da49c3d", + "id": "bundle--d248dc67-8c17-494f-a74d-2a20c141bcf4", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--650bca94-b9ad-45dd-90c9-83481247711a", "created": "2025-09-29T22:02:00.622Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--652a68a2-a26b-4e8c-86dd-fd83187ed043.json b/ics-attack/relationship/relationship--652a68a2-a26b-4e8c-86dd-fd83187ed043.json index be4905c07e..cc55ec239f 100644 --- a/ics-attack/relationship/relationship--652a68a2-a26b-4e8c-86dd-fd83187ed043.json +++ b/ics-attack/relationship/relationship--652a68a2-a26b-4e8c-86dd-fd83187ed043.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a7c6b7e0-af62-40eb-9224-4847a954f87a", + "id": "bundle--76a416fe-d883-47c8-9815-891690a1a890", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--652c1e77-cfea-4452-9762-5ba16f874119.json b/ics-attack/relationship/relationship--652c1e77-cfea-4452-9762-5ba16f874119.json index b9cb838b3d..ef4dee19f3 100644 --- a/ics-attack/relationship/relationship--652c1e77-cfea-4452-9762-5ba16f874119.json +++ b/ics-attack/relationship/relationship--652c1e77-cfea-4452-9762-5ba16f874119.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--51b38d92-95a7-472a-8c99-33a505642979", + "id": "bundle--f1110e32-fe73-46b8-8be8-3e627caae853", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--652c1e77-cfea-4452-9762-5ba16f874119", "created": "2023-09-29T17:58:42.002Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:45.324Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--6573327e-3757-424e-8570-04ffe7d5d0e2.json b/ics-attack/relationship/relationship--6573327e-3757-424e-8570-04ffe7d5d0e2.json index 17924fece3..9d90d85fe3 100644 --- a/ics-attack/relationship/relationship--6573327e-3757-424e-8570-04ffe7d5d0e2.json +++ b/ics-attack/relationship/relationship--6573327e-3757-424e-8570-04ffe7d5d0e2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8cd10f68-9d89-4fb5-8a17-27b7d9b48cbb", + "id": "bundle--0cf8c3b2-f596-46fb-9d3e-842bb737c707", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--6573327e-3757-424e-8570-04ffe7d5d0e2", "created": "2023-09-27T14:53:25.385Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", diff --git a/ics-attack/relationship/relationship--65aa5a0d-926c-4b04-9509-f66a99639877.json b/ics-attack/relationship/relationship--65aa5a0d-926c-4b04-9509-f66a99639877.json index 2c209ea37a..88608e900c 100644 --- a/ics-attack/relationship/relationship--65aa5a0d-926c-4b04-9509-f66a99639877.json +++ b/ics-attack/relationship/relationship--65aa5a0d-926c-4b04-9509-f66a99639877.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e7c86bfb-cace-4c2a-a4c8-21e119f75512", + "id": "bundle--de702bf1-23e3-4403-aff0-051a2504a497", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--65aa5a0d-926c-4b04-9509-f66a99639877", "created": "2023-09-29T17:41:34.892Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:46.215Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--65ab0305-9fe2-4af4-a11e-b8d272493ad1.json b/ics-attack/relationship/relationship--65ab0305-9fe2-4af4-a11e-b8d272493ad1.json new file mode 100644 index 0000000000..52380f2168 --- /dev/null +++ b/ics-attack/relationship/relationship--65ab0305-9fe2-4af4-a11e-b8d272493ad1.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--c5d323f7-3219-4484-ba7d-2f7f22718503", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--65ab0305-9fe2-4af4-a11e-b8d272493ad1", + "created": "2026-04-22T20:37:52.099Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:37:52.099Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--65adbdda-7069-40ed-9825-b79ec87e4916.json b/ics-attack/relationship/relationship--65adbdda-7069-40ed-9825-b79ec87e4916.json index 317ce13038..1673be117f 100644 --- a/ics-attack/relationship/relationship--65adbdda-7069-40ed-9825-b79ec87e4916.json +++ b/ics-attack/relationship/relationship--65adbdda-7069-40ed-9825-b79ec87e4916.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f80f6001-cbdf-404b-bb74-139755628821", + "id": "bundle--e15b30a8-2e1c-4bc2-9e9b-8eb01d4c9d6c", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--65adbdda-7069-40ed-9825-b79ec87e4916", "created": "2021-09-21T15:47:37.522Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "CrowdStrike Carbon Spider August 2021", diff --git a/ics-attack/relationship/relationship--65d42e15-749b-4f86-86c5-b9f1da1e60c5.json b/ics-attack/relationship/relationship--65d42e15-749b-4f86-86c5-b9f1da1e60c5.json index 5131a31a8f..19dd02f270 100644 --- a/ics-attack/relationship/relationship--65d42e15-749b-4f86-86c5-b9f1da1e60c5.json +++ b/ics-attack/relationship/relationship--65d42e15-749b-4f86-86c5-b9f1da1e60c5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--001eb9e8-2a6c-478f-968e-222c4b0de0b4", + "id": "bundle--18f50ee2-e156-4e03-8de9-d6ec6b62ba1b", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--65d42e15-749b-4f86-86c5-b9f1da1e60c5", "created": "2023-09-28T21:25:34.304Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:46.527Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--65e25631-05de-4ce2-88cc-52f91cfbdaf2.json b/ics-attack/relationship/relationship--65e25631-05de-4ce2-88cc-52f91cfbdaf2.json index 0ba53eb98f..a01113e160 100644 --- a/ics-attack/relationship/relationship--65e25631-05de-4ce2-88cc-52f91cfbdaf2.json +++ b/ics-attack/relationship/relationship--65e25631-05de-4ce2-88cc-52f91cfbdaf2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f37c651f-f715-4ee8-83e9-e1bf9f8e1734", + "id": "bundle--1b1db94e-1c1f-41cb-814e-141412fde542", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--65e25631-05de-4ce2-88cc-52f91cfbdaf2", "created": "2023-10-02T20:18:54.267Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:46.764Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", diff --git a/ics-attack/relationship/relationship--6603a100-d655-4e6b-8d38-73c11b89dde4.json b/ics-attack/relationship/relationship--6603a100-d655-4e6b-8d38-73c11b89dde4.json index 2e00225412..8136e5d8e6 100644 --- a/ics-attack/relationship/relationship--6603a100-d655-4e6b-8d38-73c11b89dde4.json +++ b/ics-attack/relationship/relationship--6603a100-d655-4e6b-8d38-73c11b89dde4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b6ccebc4-016a-49d3-8b5a-f65cd65e31c9", + "id": "bundle--1bd4d6b2-5534-43e2-a5e6-15d92815f085", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--6603a100-d655-4e6b-8d38-73c11b89dde4", "created": "2019-03-26T16:19:52.358Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Joe Slowik April 2019", diff --git a/ics-attack/relationship/relationship--6637d8e6-6578-4d15-a993-d63ced4c4464.json b/ics-attack/relationship/relationship--6637d8e6-6578-4d15-a993-d63ced4c4464.json index d1d33b38b9..0e2038fb31 100644 --- a/ics-attack/relationship/relationship--6637d8e6-6578-4d15-a993-d63ced4c4464.json +++ b/ics-attack/relationship/relationship--6637d8e6-6578-4d15-a993-d63ced4c4464.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3497735f-e01f-442f-ae57-14d0027e0917", + "id": "bundle--4ccf46e4-c3a0-49cd-acc2-ce45178a4a0c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--665587ee-1524-4334-9580-2b448c417542.json b/ics-attack/relationship/relationship--665587ee-1524-4334-9580-2b448c417542.json index 38d1bab3a0..eada2479fc 100644 --- a/ics-attack/relationship/relationship--665587ee-1524-4334-9580-2b448c417542.json +++ b/ics-attack/relationship/relationship--665587ee-1524-4334-9580-2b448c417542.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--23fd2a0d-44f2-4a44-ac16-94b1c44e4e6b", + "id": "bundle--8f942e10-f8e8-4df7-872e-3bbceb3057a4", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--665587ee-1524-4334-9580-2b448c417542", "created": "2023-03-30T19:26:07.209Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Industroyer2 Mandiant April 2022", diff --git a/ics-attack/relationship/relationship--6681bc38-0b55-4714-b690-c609956b40bf.json b/ics-attack/relationship/relationship--6681bc38-0b55-4714-b690-c609956b40bf.json index c57dd7a48d..ad9131ccb9 100644 --- a/ics-attack/relationship/relationship--6681bc38-0b55-4714-b690-c609956b40bf.json +++ b/ics-attack/relationship/relationship--6681bc38-0b55-4714-b690-c609956b40bf.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a52b51ed-43d4-4c6c-8677-4859226cb43d", + "id": "bundle--0fc2ca83-1bbf-4895-b44c-1ae699d615b3", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--6681bc38-0b55-4714-b690-c609956b40bf", "created": "2022-09-28T20:27:33.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "CISA-AA22-103A", diff --git a/ics-attack/relationship/relationship--668f8c4b-225a-4287-ac5b-7717a4f75b5d.json b/ics-attack/relationship/relationship--668f8c4b-225a-4287-ac5b-7717a4f75b5d.json index deb97bc3d2..d8f5b99b77 100644 --- a/ics-attack/relationship/relationship--668f8c4b-225a-4287-ac5b-7717a4f75b5d.json +++ b/ics-attack/relationship/relationship--668f8c4b-225a-4287-ac5b-7717a4f75b5d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6daf4def-15c0-4c73-9bf3-2c1c93261940", + "id": "bundle--25f4b73e-d547-4dc2-a145-7003180a09ed", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--668f8c4b-225a-4287-ac5b-7717a4f75b5d", "created": "2023-03-10T20:32:02.472Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Marshall Abrams July 2008", diff --git a/ics-attack/relationship/relationship--66af47d7-c430-4ac9-8020-fd79b7059037.json b/ics-attack/relationship/relationship--66af47d7-c430-4ac9-8020-fd79b7059037.json index 01732bee4c..52a16b00b0 100644 --- a/ics-attack/relationship/relationship--66af47d7-c430-4ac9-8020-fd79b7059037.json +++ b/ics-attack/relationship/relationship--66af47d7-c430-4ac9-8020-fd79b7059037.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--93932f2b-78bd-4b46-bef9-4b40e22f0c27", + "id": "bundle--49497556-ebb5-4438-8988-9d30ae930bf4", "spec_version": "2.0", "objects": [ { @@ -15,11 +15,6 @@ "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" }, - { - "source_name": "Dragos-Pipedream", - "description": "DRAGOS. (2022, April 13). Pipedream: Chernovite\u2019s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.", - "url": "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en" - }, { "source_name": "Wylie-22", "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", @@ -29,14 +24,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:02:48.321Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can perform a UDP multicast scan of UDP port 27127 to identify Schneider PLCs that use that port for the NetManage protocol.(Citation: Dragos-Pipedream)(Citation: Wylie-22)\n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the FINS (Factory Interface Network Service) protocol to scan for and obtain MAC address associated with Omron devices.(Citation: CISA-AA22-103A)(Citation: Wylie-22)\n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) has the ability to perform scans for TCP port 4840 to identify devices running OPC UA servers.(Citation: Wylie-22)", + "modified": "2026-04-23T14:20:50.156Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the FINS (Factory Interface Network Service) protocol to scan for and obtain MAC address associated with Omron devices.(Citation: CISA-AA22-103A)(Citation: Wylie-22)", "relationship_type": "uses", "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--66d041e2-d9e8-46cc-88ee-8e5c1cec8702.json b/ics-attack/relationship/relationship--66d041e2-d9e8-46cc-88ee-8e5c1cec8702.json index 8271b5eed0..55657e6172 100644 --- a/ics-attack/relationship/relationship--66d041e2-d9e8-46cc-88ee-8e5c1cec8702.json +++ b/ics-attack/relationship/relationship--66d041e2-d9e8-46cc-88ee-8e5c1cec8702.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b230905d-8f72-4a78-8fd7-5ad3e674c4c6", + "id": "bundle--0b383f69-5e00-4c7b-b53a-bf58d3517c87", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--66d041e2-d9e8-46cc-88ee-8e5c1cec8702", "created": "2023-09-29T17:43:31.956Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:48.549Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--66d8f3d7-68e0-48a0-a563-4746922080fc.json b/ics-attack/relationship/relationship--66d8f3d7-68e0-48a0-a563-4746922080fc.json index 5d854cfbe3..d80c47c5c3 100644 --- a/ics-attack/relationship/relationship--66d8f3d7-68e0-48a0-a563-4746922080fc.json +++ b/ics-attack/relationship/relationship--66d8f3d7-68e0-48a0-a563-4746922080fc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2b25b566-ee91-4557-afbb-b890daec1ac5", + "id": "bundle--78096ed3-db97-45f0-ac04-ff75c5711ac5", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--66d8f3d7-68e0-48a0-a563-4746922080fc", "created": "2024-04-09T20:48:46.756Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:49.011Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--66eb9d6f-498b-4a9a-94d3-fe808460bb68.json b/ics-attack/relationship/relationship--66eb9d6f-498b-4a9a-94d3-fe808460bb68.json index 2a6f548a5e..cf356aeb54 100644 --- a/ics-attack/relationship/relationship--66eb9d6f-498b-4a9a-94d3-fe808460bb68.json +++ b/ics-attack/relationship/relationship--66eb9d6f-498b-4a9a-94d3-fe808460bb68.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6d744036-4eef-4977-8983-4acd62c4d0a4", + "id": "bundle--a7aec873-d25e-43d0-b6bd-e6d19c60d251", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--66eb9d6f-498b-4a9a-94d3-fe808460bb68", "created": "2024-09-11T22:50:15.550Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Claroty Fuxnet 2024", diff --git a/ics-attack/relationship/relationship--66f79019-d52c-46a6-b605-c2335d1d3d20.json b/ics-attack/relationship/relationship--66f79019-d52c-46a6-b605-c2335d1d3d20.json index fda5b16e9d..11a2255d13 100644 --- a/ics-attack/relationship/relationship--66f79019-d52c-46a6-b605-c2335d1d3d20.json +++ b/ics-attack/relationship/relationship--66f79019-d52c-46a6-b605-c2335d1d3d20.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e348555f-d29b-4c47-8502-60cc0e7d85d8", + "id": "bundle--2eaf8714-5634-4019-8537-5bac4f68723e", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--66f79019-d52c-46a6-b605-c2335d1d3d20", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", diff --git a/ics-attack/relationship/relationship--671043a9-337f-411a-9ca9-3112e897ab09.json b/ics-attack/relationship/relationship--671043a9-337f-411a-9ca9-3112e897ab09.json index ebe5e6e17c..e8c10aeb30 100644 --- a/ics-attack/relationship/relationship--671043a9-337f-411a-9ca9-3112e897ab09.json +++ b/ics-attack/relationship/relationship--671043a9-337f-411a-9ca9-3112e897ab09.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b26edfbe-fdaf-4f59-8d55-5bfbbfdd50cf", + "id": "bundle--e27a13d0-7e04-4d29-ac2a-93b26c7669e7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--de981644-10f5-40bf-9ced-5c35ed8f9793.json b/ics-attack/relationship/relationship--672329b4-2695-4373-a2e4-0fc16c75cc13.json similarity index 78% rename from ics-attack/relationship/relationship--de981644-10f5-40bf-9ced-5c35ed8f9793.json rename to ics-attack/relationship/relationship--672329b4-2695-4373-a2e4-0fc16c75cc13.json index 989dd33b20..99e235ca51 100644 --- a/ics-attack/relationship/relationship--de981644-10f5-40bf-9ced-5c35ed8f9793.json +++ b/ics-attack/relationship/relationship--672329b4-2695-4373-a2e4-0fc16c75cc13.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--e0ebdc50-0c63-426d-ba74-6bafaab6cf64", + "id": "bundle--4513f2a4-341d-4670-84f2-705b804f1eaf", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--de981644-10f5-40bf-9ced-5c35ed8f9793", + "id": "relationship--672329b4-2695-4373-a2e4-0fc16c75cc13", "created": "2025-09-24T18:12:25.320Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -14,7 +14,7 @@ ], "modified": "2025-09-24T18:12:25.320Z", "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", "target_ref": "x-mitre-asset--bb553fda-8355-40bc-87c6-5ae25124fa95", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, diff --git a/ics-attack/relationship/relationship--6754195a-99cd-4b45-bafd-4a374ae79bbd.json b/ics-attack/relationship/relationship--6754195a-99cd-4b45-bafd-4a374ae79bbd.json index 0e55ab7767..5d2cf298e6 100644 --- a/ics-attack/relationship/relationship--6754195a-99cd-4b45-bafd-4a374ae79bbd.json +++ b/ics-attack/relationship/relationship--6754195a-99cd-4b45-bafd-4a374ae79bbd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5c9a81d1-a622-49bf-b3de-986b1f65cca4", + "id": "bundle--62d8985e-43bc-43e9-9dc6-9e6495a04f8b", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--6754195a-99cd-4b45-bafd-4a374ae79bbd", "created": "2023-09-29T18:02:52.119Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:49.950Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--6795c92f-848f-488e-9c25-d240f99c9b34.json b/ics-attack/relationship/relationship--6795c92f-848f-488e-9c25-d240f99c9b34.json index 4c6e9cf2a1..566deaa8e1 100644 --- a/ics-attack/relationship/relationship--6795c92f-848f-488e-9c25-d240f99c9b34.json +++ b/ics-attack/relationship/relationship--6795c92f-848f-488e-9c25-d240f99c9b34.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9072f454-72cb-4b2c-9cc4-d88a61d23b25", + "id": "bundle--2fb0ece7-379f-46b9-b54a-0ba67799c43f", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--6795c92f-848f-488e-9c25-d240f99c9b34", "created": "2023-09-28T21:23:39.333Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:50.161Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--6797d89b-c631-4a45-90b8-7da2c703b6e7.json b/ics-attack/relationship/relationship--6797d89b-c631-4a45-90b8-7da2c703b6e7.json index a83554a16d..d695b06c0d 100644 --- a/ics-attack/relationship/relationship--6797d89b-c631-4a45-90b8-7da2c703b6e7.json +++ b/ics-attack/relationship/relationship--6797d89b-c631-4a45-90b8-7da2c703b6e7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--107f1777-64eb-45ae-bed3-5be73944c075", + "id": "bundle--eda8a8e2-4aea-4a04-8b17-ba9d90bf875e", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--9ad17e7a-5920-42ac-9bf4-545b99162640", "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", diff --git a/ics-attack/relationship/relationship--679e7b8d-57d7-4c1d-8f42-1496606ea666.json b/ics-attack/relationship/relationship--679e7b8d-57d7-4c1d-8f42-1496606ea666.json index 8991985e7d..68f19a8577 100644 --- a/ics-attack/relationship/relationship--679e7b8d-57d7-4c1d-8f42-1496606ea666.json +++ b/ics-attack/relationship/relationship--679e7b8d-57d7-4c1d-8f42-1496606ea666.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7ed416d5-6e69-4959-b068-21f73f16e22c", + "id": "bundle--861b19aa-3275-4ca8-8531-dc1d3ad482ba", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--679e7b8d-57d7-4c1d-8f42-1496606ea666", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Jeff Jones May 2018", diff --git a/ics-attack/relationship/relationship--67ae8423-c401-4c11-93d3-0454c288d934.json b/ics-attack/relationship/relationship--67ae8423-c401-4c11-93d3-0454c288d934.json index b192e20f59..d7f9a09e20 100644 --- a/ics-attack/relationship/relationship--67ae8423-c401-4c11-93d3-0454c288d934.json +++ b/ics-attack/relationship/relationship--67ae8423-c401-4c11-93d3-0454c288d934.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a471226c-a240-41c7-b0b3-69e118b1ad45", + "id": "bundle--5a5fdd3e-7982-4e89-81bb-631f898860e2", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--67ae8423-c401-4c11-93d3-0454c288d934", "created": "2023-09-29T16:31:57.421Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:50.822Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--67dae594-4239-4756-a0bc-dee75de19e4c.json b/ics-attack/relationship/relationship--67dae594-4239-4756-a0bc-dee75de19e4c.json index d218d69a3f..f1521ee471 100644 --- a/ics-attack/relationship/relationship--67dae594-4239-4756-a0bc-dee75de19e4c.json +++ b/ics-attack/relationship/relationship--67dae594-4239-4756-a0bc-dee75de19e4c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2ef61630-6762-4662-863f-f3ab49d572aa", + "id": "bundle--9c41c6cb-b0bb-45e4-8101-a5439d655ad5", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--67dae594-4239-4756-a0bc-dee75de19e4c", "created": "2023-09-29T17:07:14.259Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:51.045Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", diff --git a/ics-attack/relationship/relationship--67dd6b59-ef78-4732-beb8-4917156b6382.json b/ics-attack/relationship/relationship--67dd6b59-ef78-4732-beb8-4917156b6382.json new file mode 100644 index 0000000000..e8d0281f54 --- /dev/null +++ b/ics-attack/relationship/relationship--67dd6b59-ef78-4732-beb8-4917156b6382.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--efed7545-060a-4348-a21b-60e67c0899bd", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--67dd6b59-ef78-4732-beb8-4917156b6382", + "created": "2026-04-22T20:18:36.361Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:18:36.361Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--67e11f38-9f68-4989-8de3-da65af52063e.json b/ics-attack/relationship/relationship--67e11f38-9f68-4989-8de3-da65af52063e.json index 35bff86dac..a75e650d31 100644 --- a/ics-attack/relationship/relationship--67e11f38-9f68-4989-8de3-da65af52063e.json +++ b/ics-attack/relationship/relationship--67e11f38-9f68-4989-8de3-da65af52063e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8a14edb5-5d47-4b8b-9e04-364073998551", + "id": "bundle--99b1fa09-cb64-4237-b596-434d01a228c9", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--67e11f38-9f68-4989-8de3-da65af52063e", "created": "2023-03-30T19:24:54.896Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Industroyer2 ESET April 2022", diff --git a/ics-attack/relationship/relationship--67ed5edc-fd57-4b1c-9677-8f0758154526.json b/ics-attack/relationship/relationship--67ed5edc-fd57-4b1c-9677-8f0758154526.json index 07d7069635..4cff406272 100644 --- a/ics-attack/relationship/relationship--67ed5edc-fd57-4b1c-9677-8f0758154526.json +++ b/ics-attack/relationship/relationship--67ed5edc-fd57-4b1c-9677-8f0758154526.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f4a519d3-52ee-4f37-9705-3281a180b64f", + "id": "bundle--e4e5cfbc-2902-464f-a73a-b85c3081fcb7", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--67ed5edc-fd57-4b1c-9677-8f0758154526", "created": "2025-09-29T19:04:04.581Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--6833d534-9cbb-4b9f-85b6-93d3d2d6faca.json b/ics-attack/relationship/relationship--6833d534-9cbb-4b9f-85b6-93d3d2d6faca.json index 3271a3f20f..6625a5275c 100644 --- a/ics-attack/relationship/relationship--6833d534-9cbb-4b9f-85b6-93d3d2d6faca.json +++ b/ics-attack/relationship/relationship--6833d534-9cbb-4b9f-85b6-93d3d2d6faca.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--59542433-a675-4c97-8553-1e4845fb7aa2", + "id": "bundle--7f6f7d10-0a5a-41d8-a3ec-634bf4859bd2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--685249f9-e51a-4914-8b7f-09679e04198b.json b/ics-attack/relationship/relationship--685249f9-e51a-4914-8b7f-09679e04198b.json index fc62b3300a..18a722043e 100644 --- a/ics-attack/relationship/relationship--685249f9-e51a-4914-8b7f-09679e04198b.json +++ b/ics-attack/relationship/relationship--685249f9-e51a-4914-8b7f-09679e04198b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--33332b70-b7dc-4ce5-b3dc-f3506ba3ca76", + "id": "bundle--61a19e84-0f47-456c-992c-25245a31f8b2", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--685249f9-e51a-4914-8b7f-09679e04198b", "created": "2023-09-28T19:49:11.359Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:51.723Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--686cbd74-ef49-4e77-9599-21777d3a4738.json b/ics-attack/relationship/relationship--686cbd74-ef49-4e77-9599-21777d3a4738.json index cdb0bcff85..8266ae6a05 100644 --- a/ics-attack/relationship/relationship--686cbd74-ef49-4e77-9599-21777d3a4738.json +++ b/ics-attack/relationship/relationship--686cbd74-ef49-4e77-9599-21777d3a4738.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d8c12017-84c6-498b-b60e-f2fbe22abc37", + "id": "bundle--05001b2c-f8aa-442e-a959-31ef8d9f5fe3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6895e54e-3968-41a9-9013-a082cd46fa44.json b/ics-attack/relationship/relationship--6895e54e-3968-41a9-9013-a082cd46fa44.json index a7d0c9e1fe..23f760da78 100644 --- a/ics-attack/relationship/relationship--6895e54e-3968-41a9-9013-a082cd46fa44.json +++ b/ics-attack/relationship/relationship--6895e54e-3968-41a9-9013-a082cd46fa44.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--830bf76d-4bd4-4ff0-ab1e-0a6668eed081", + "id": "bundle--8fe84877-512a-48b5-95c6-594f874aa7e4", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--6895e54e-3968-41a9-9013-a082cd46fa44", "created": "2020-05-14T14:40:26.221Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Red Canary Hospital Thwarted Ryuk October 2020", @@ -48,7 +47,7 @@ { "source_name": "Mandiant FIN12 Oct 2021", "description": "Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.", - "url": "https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" + "url": "https://web.archive.org/web/20220313061955/https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" }, { "source_name": "DFIR Ryuk 2 Hour Speed Run November 2020", @@ -69,14 +68,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T22:20:55.390Z", + "modified": "2026-01-20T16:26:04.865Z", "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)(Citation: Sophos New Ryuk Attack October 2020)(Citation: CrowdStrike Wizard Spider October 2020)(Citation: Mandiant FIN12 Oct 2021)(Citation: Microsoft Ransomware as a Service)", "relationship_type": "uses", "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", "target_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--68e0f740-e04d-492c-b735-ce75f86a62f5.json b/ics-attack/relationship/relationship--68e0f740-e04d-492c-b735-ce75f86a62f5.json index dcc797135a..b146f35732 100644 --- a/ics-attack/relationship/relationship--68e0f740-e04d-492c-b735-ce75f86a62f5.json +++ b/ics-attack/relationship/relationship--68e0f740-e04d-492c-b735-ce75f86a62f5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--97296c16-91c3-4e18-a2c4-68eacdd64b51", + "id": "bundle--d9220609-8e3d-4ede-8ba4-f5746a943f9a", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--e9f6c9ad-7368-43e3-9ba1-c9261323a1d1", "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", diff --git a/ics-attack/relationship/relationship--691d1193-193a-4433-9a2e-1eb3fa239de6.json b/ics-attack/relationship/relationship--691d1193-193a-4433-9a2e-1eb3fa239de6.json index cbc42e155e..92a869c414 100644 --- a/ics-attack/relationship/relationship--691d1193-193a-4433-9a2e-1eb3fa239de6.json +++ b/ics-attack/relationship/relationship--691d1193-193a-4433-9a2e-1eb3fa239de6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9765119a-ebfb-4ca6-af87-db355db2db95", + "id": "bundle--5432f5ab-ef40-43f7-bf63-22dc70885095", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--691d1193-193a-4433-9a2e-1eb3fa239de6", "created": "2025-09-24T18:20:00.603Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--a45cec05-2d81-4db1-9267-db8be498e0d2.json b/ics-attack/relationship/relationship--692240ba-667e-4f37-9f35-f354240c5bdc.json similarity index 71% rename from ics-attack/relationship/relationship--a45cec05-2d81-4db1-9267-db8be498e0d2.json rename to ics-attack/relationship/relationship--692240ba-667e-4f37-9f35-f354240c5bdc.json index c096a20ae1..3634f1fd70 100644 --- a/ics-attack/relationship/relationship--a45cec05-2d81-4db1-9267-db8be498e0d2.json +++ b/ics-attack/relationship/relationship--692240ba-667e-4f37-9f35-f354240c5bdc.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--e2610bc1-d750-4daf-b147-25ac321e6f99", + "id": "bundle--ae26ae2d-93db-480a-bdc1-44a81cd72b5f", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--a45cec05-2d81-4db1-9267-db8be498e0d2", + "id": "relationship--692240ba-667e-4f37-9f35-f354240c5bdc", "created": "2023-09-29T16:46:50.699Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:57.362Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "source_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--692324b4-064a-430c-8ffc-7f7acd537778.json b/ics-attack/relationship/relationship--692324b4-064a-430c-8ffc-7f7acd537778.json index c0b01771c5..e61ffcf100 100644 --- a/ics-attack/relationship/relationship--692324b4-064a-430c-8ffc-7f7acd537778.json +++ b/ics-attack/relationship/relationship--692324b4-064a-430c-8ffc-7f7acd537778.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--957fbff6-1dd8-47c2-84c1-dd438205146a", + "id": "bundle--c94e5c28-5749-4126-8d7e-33be1d03eb3d", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--692324b4-064a-430c-8ffc-7f7acd537778", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Symantec", diff --git a/ics-attack/relationship/relationship--692ff921-c74d-40a4-ab31-879aba5f247a.json b/ics-attack/relationship/relationship--692ff921-c74d-40a4-ab31-879aba5f247a.json index a79014bbd0..995e6d2315 100644 --- a/ics-attack/relationship/relationship--692ff921-c74d-40a4-ab31-879aba5f247a.json +++ b/ics-attack/relationship/relationship--692ff921-c74d-40a4-ab31-879aba5f247a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bb42f103-de23-4981-a26f-de488d48c3b2", + "id": "bundle--75b59d80-52da-4a9c-9f07-a6b79dd5d083", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--692ff921-c74d-40a4-ab31-879aba5f247a", "created": "2023-09-29T16:42:01.287Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:53.380Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--69576d3c-d0e8-459e-9f2e-0b9c560b2e04.json b/ics-attack/relationship/relationship--69576d3c-d0e8-459e-9f2e-0b9c560b2e04.json index 9ee37a7fcb..43dac2f5f2 100644 --- a/ics-attack/relationship/relationship--69576d3c-d0e8-459e-9f2e-0b9c560b2e04.json +++ b/ics-attack/relationship/relationship--69576d3c-d0e8-459e-9f2e-0b9c560b2e04.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bf742b5f-db31-4884-a91f-759466827dd5", + "id": "bundle--38a48134-e3c5-40d5-9132-98c47b621d34", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--69889c90-e6d0-4007-9078-2bfbd7c18a91.json b/ics-attack/relationship/relationship--69889c90-e6d0-4007-9078-2bfbd7c18a91.json index 581c609662..6993d53800 100644 --- a/ics-attack/relationship/relationship--69889c90-e6d0-4007-9078-2bfbd7c18a91.json +++ b/ics-attack/relationship/relationship--69889c90-e6d0-4007-9078-2bfbd7c18a91.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c5ca3d04-2dab-4efa-b443-36afd3d627a6", + "id": "bundle--2d0ec3de-ab86-4130-b75a-66450a13ff2a", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--69889c90-e6d0-4007-9078-2bfbd7c18a91", "created": "2024-03-25T20:11:07.813Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "CISA AA23-335A IRGC-Affiliated December 2023", diff --git a/ics-attack/relationship/relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7.json b/ics-attack/relationship/relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7.json index e89d652cda..3bde2cebb5 100644 --- a/ics-attack/relationship/relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7.json +++ b/ics-attack/relationship/relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e222e617-9e84-4c0d-9994-a977270dcfde", + "id": "bundle--369c4d7b-458f-4755-8c7b-6d8948bdb9fc", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "IEC February 2019", diff --git a/ics-attack/relationship/relationship--69963190-c0a1-4518-922f-0f6153e1f6a6.json b/ics-attack/relationship/relationship--69963190-c0a1-4518-922f-0f6153e1f6a6.json new file mode 100644 index 0000000000..f3e7d6291e --- /dev/null +++ b/ics-attack/relationship/relationship--69963190-c0a1-4518-922f-0f6153e1f6a6.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--5704cff5-5b08-4d7c-9ae9-c2007a0367ef", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--69963190-c0a1-4518-922f-0f6153e1f6a6", + "created": "2026-04-23T00:02:50.392Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:02:50.392Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--69cf4015-fae1-47f6-9253-1f99209288a5.json b/ics-attack/relationship/relationship--69cf4015-fae1-47f6-9253-1f99209288a5.json index e3d91bd26b..7b5528d69a 100644 --- a/ics-attack/relationship/relationship--69cf4015-fae1-47f6-9253-1f99209288a5.json +++ b/ics-attack/relationship/relationship--69cf4015-fae1-47f6-9253-1f99209288a5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e39d1279-ae50-4d45-afe7-c6eaa1e9d79b", + "id": "bundle--18861a49-185f-4917-90fc-2914fbb6d3e1", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--69cf4015-fae1-47f6-9253-1f99209288a5", "created": "2023-09-29T16:27:34.964Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:54.220Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--69d19946-72fb-40ce-90fb-0757df8353b5.json b/ics-attack/relationship/relationship--69d19946-72fb-40ce-90fb-0757df8353b5.json index f9f9f184a7..3d35e440ed 100644 --- a/ics-attack/relationship/relationship--69d19946-72fb-40ce-90fb-0757df8353b5.json +++ b/ics-attack/relationship/relationship--69d19946-72fb-40ce-90fb-0757df8353b5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--240b59c2-9eff-4ec7-8add-d1eabbf40323", + "id": "bundle--3d17279c-bf6d-4523-a2d3-e7a65e4650b2", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--69d19946-72fb-40ce-90fb-0757df8353b5", "created": "2024-11-20T23:05:29.090Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos FROSTYGOOP 2024", diff --git a/ics-attack/relationship/relationship--69f5ca66-8334-47e1-920e-b9320e007c3b.json b/ics-attack/relationship/relationship--69f5ca66-8334-47e1-920e-b9320e007c3b.json index 5774742fdc..b6380cbf15 100644 --- a/ics-attack/relationship/relationship--69f5ca66-8334-47e1-920e-b9320e007c3b.json +++ b/ics-attack/relationship/relationship--69f5ca66-8334-47e1-920e-b9320e007c3b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1961a362-95e5-4948-80d2-ace4257ebdfd", + "id": "bundle--be84df8d-13ec-40c3-ad12-ce8664ab0ade", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--69f5ca66-8334-47e1-920e-b9320e007c3b", "created": "2025-09-24T17:56:30.277Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--69f9597e-a47d-49bb-a182-376349f979ef.json b/ics-attack/relationship/relationship--69f9597e-a47d-49bb-a182-376349f979ef.json new file mode 100644 index 0000000000..ff36b18e0c --- /dev/null +++ b/ics-attack/relationship/relationship--69f9597e-a47d-49bb-a182-376349f979ef.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--43659f65-8d77-40df-8af4-b83f9f134465", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--69f9597e-a47d-49bb-a182-376349f979ef", + "created": "2026-04-22T13:31:06.137Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:20:53.842Z", + "description": "Provide an alternative method for sending critical commands message to outstations, this could include using radio/cell communication to send messages to a field technician that physically performs the control function.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6a314797-9105-44e3-be5f-41b817454daf.json b/ics-attack/relationship/relationship--6a314797-9105-44e3-be5f-41b817454daf.json new file mode 100644 index 0000000000..10e2674feb --- /dev/null +++ b/ics-attack/relationship/relationship--6a314797-9105-44e3-be5f-41b817454daf.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--f4f8c6dc-1af6-40cd-a985-d30cedcb336d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--6a314797-9105-44e3-be5f-41b817454daf", + "created": "2026-04-23T00:27:00.713Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:33:16.859Z", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6a476f56-2c07-43be-8054-d978ee8eb924.json b/ics-attack/relationship/relationship--6a476f56-2c07-43be-8054-d978ee8eb924.json index 4eaa4e95c3..e4935b333e 100644 --- a/ics-attack/relationship/relationship--6a476f56-2c07-43be-8054-d978ee8eb924.json +++ b/ics-attack/relationship/relationship--6a476f56-2c07-43be-8054-d978ee8eb924.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d367b881-b026-4fe2-9a53-86cc2bdbcc6b", + "id": "bundle--ed581d09-d82d-4951-a24c-c3676f6d4967", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--6a476f56-2c07-43be-8054-d978ee8eb924", "created": "2023-09-29T16:42:12.160Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:54.854Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--6ad39b3a-a962-457f-852c-be7fc615e22f.json b/ics-attack/relationship/relationship--6ad39b3a-a962-457f-852c-be7fc615e22f.json index bfefb26cf8..76c073179b 100644 --- a/ics-attack/relationship/relationship--6ad39b3a-a962-457f-852c-be7fc615e22f.json +++ b/ics-attack/relationship/relationship--6ad39b3a-a962-457f-852c-be7fc615e22f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9d690a0c-3e2e-46e1-9d6c-dc4a18fb991e", + "id": "bundle--71b167a0-5d43-4e17-ad34-098b8bcf4cc3", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--6ad39b3a-a962-457f-852c-be7fc615e22f", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Department of Homeland Security October 2009", diff --git a/ics-attack/relationship/relationship--6ad3b5cc-7ba1-4287-8c05-d02385f84f72.json b/ics-attack/relationship/relationship--6ad3b5cc-7ba1-4287-8c05-d02385f84f72.json index ff4a5bc94c..8baf68572c 100644 --- a/ics-attack/relationship/relationship--6ad3b5cc-7ba1-4287-8c05-d02385f84f72.json +++ b/ics-attack/relationship/relationship--6ad3b5cc-7ba1-4287-8c05-d02385f84f72.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f3d3e0de-aecd-4750-b534-c920ab8c1ab4", + "id": "bundle--c3b7c392-28fe-48c9-adda-2d7c18830275", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--6ad3b5cc-7ba1-4287-8c05-d02385f84f72", "created": "2023-09-29T16:31:22.789Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:55.918Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--6b0e8f60-ecdf-4140-9741-5b50df67353c.json b/ics-attack/relationship/relationship--6b0e8f60-ecdf-4140-9741-5b50df67353c.json index 793312057e..77227a6e0c 100644 --- a/ics-attack/relationship/relationship--6b0e8f60-ecdf-4140-9741-5b50df67353c.json +++ b/ics-attack/relationship/relationship--6b0e8f60-ecdf-4140-9741-5b50df67353c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c80a5cb3-c1b3-4449-b874-78f69da59e6a", + "id": "bundle--ee3aba3a-d3ec-468b-b2c9-949600bbfde8", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--6b0e8f60-ecdf-4140-9741-5b50df67353c", "created": "2024-03-25T20:06:37.050Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "CISA AA23-335A IRGC-Affiliated December 2023", diff --git a/ics-attack/relationship/relationship--6b33ae4d-2c8b-434f-994e-7e0b1413ff2c.json b/ics-attack/relationship/relationship--6b33ae4d-2c8b-434f-994e-7e0b1413ff2c.json index 9a9bc9c392..cdae3050fe 100644 --- a/ics-attack/relationship/relationship--6b33ae4d-2c8b-434f-994e-7e0b1413ff2c.json +++ b/ics-attack/relationship/relationship--6b33ae4d-2c8b-434f-994e-7e0b1413ff2c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e1c229cc-4fb6-4496-a0eb-16868819de99", + "id": "bundle--e5e4c326-b96a-47dd-9f12-2843ca222c44", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--6b33ae4d-2c8b-434f-994e-7e0b1413ff2c", "created": "2025-09-29T19:12:03.315Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07.json b/ics-attack/relationship/relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07.json index ecb33527e3..6e95ecb296 100644 --- a/ics-attack/relationship/relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07.json +++ b/ics-attack/relationship/relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c422d0e7-0a30-41a8-95eb-b79bd6638f37", + "id": "bundle--d61ce3ed-0846-461c-bfdd-c97583f2d788", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4.json b/ics-attack/relationship/relationship--6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4.json index 57c44932a5..f3d96bcd07 100644 --- a/ics-attack/relationship/relationship--6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4.json +++ b/ics-attack/relationship/relationship--6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e02eada5-6e52-4958-9198-f080a82f7df3", + "id": "bundle--c1f557f8-0618-4e6a-a72b-b6f593e1b5f8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6baa9172-04e4-416d-a009-668cda23fd5d.json b/ics-attack/relationship/relationship--6baa9172-04e4-416d-a009-668cda23fd5d.json index cb84866aaa..2eed3c6d74 100644 --- a/ics-attack/relationship/relationship--6baa9172-04e4-416d-a009-668cda23fd5d.json +++ b/ics-attack/relationship/relationship--6baa9172-04e4-416d-a009-668cda23fd5d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--796e562b-2366-41e6-a95e-185a020319b7", + "id": "bundle--78a4e5b0-7467-4e93-add0-fdcc990bf5bc", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--6baa9172-04e4-416d-a009-668cda23fd5d", "created": "2021-10-08T15:25:32.143Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", diff --git a/ics-attack/relationship/relationship--6bbb12c3-171d-45a5-a01b-a74b0c0704f0.json b/ics-attack/relationship/relationship--6bbb12c3-171d-45a5-a01b-a74b0c0704f0.json new file mode 100644 index 0000000000..66d6adafb6 --- /dev/null +++ b/ics-attack/relationship/relationship--6bbb12c3-171d-45a5-a01b-a74b0c0704f0.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--84cfc1ab-e680-4270-8c00-bdd8f345d897", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--6bbb12c3-171d-45a5-a01b-a74b0c0704f0", + "created": "2026-04-22T16:02:56.600Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:53:04.770Z", + "description": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6be4cef2-3d54-4cd8-97df-8a8b37c03605.json b/ics-attack/relationship/relationship--6be4cef2-3d54-4cd8-97df-8a8b37c03605.json index 97004a626c..63348f4630 100644 --- a/ics-attack/relationship/relationship--6be4cef2-3d54-4cd8-97df-8a8b37c03605.json +++ b/ics-attack/relationship/relationship--6be4cef2-3d54-4cd8-97df-8a8b37c03605.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6a1a7fdf-2ca7-4a54-988d-7eb38e217171", + "id": "bundle--fff7a6c4-2e5c-4ae3-a4ce-83acc262e59b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6c15ec9f-2b48-419c-adc1-f989833f6187.json b/ics-attack/relationship/relationship--6c15ec9f-2b48-419c-adc1-f989833f6187.json index 95f15ef5e0..ea1b902eda 100644 --- a/ics-attack/relationship/relationship--6c15ec9f-2b48-419c-adc1-f989833f6187.json +++ b/ics-attack/relationship/relationship--6c15ec9f-2b48-419c-adc1-f989833f6187.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ac981c55-7bd5-41a0-93a9-4e0b4d040769", + "id": "bundle--7ef49007-eb3a-4505-86d0-490b2cfbdb7a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6c20bab8-3b4d-4cbc-83f5-ad032c7ecde3.json b/ics-attack/relationship/relationship--6c20bab8-3b4d-4cbc-83f5-ad032c7ecde3.json new file mode 100644 index 0000000000..ffc13ab1ad --- /dev/null +++ b/ics-attack/relationship/relationship--6c20bab8-3b4d-4cbc-83f5-ad032c7ecde3.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--333db9d0-3ddd-4347-a487-a9134c08bab5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--6c20bab8-3b4d-4cbc-83f5-ad032c7ecde3", + "created": "2026-04-22T13:45:46.984Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T13:45:46.984Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6c31c795-935a-41ad-8db1-d74430f4a553.json b/ics-attack/relationship/relationship--6c31c795-935a-41ad-8db1-d74430f4a553.json index ab0803f318..627e366b3c 100644 --- a/ics-attack/relationship/relationship--6c31c795-935a-41ad-8db1-d74430f4a553.json +++ b/ics-attack/relationship/relationship--6c31c795-935a-41ad-8db1-d74430f4a553.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8a138513-4940-448a-af94-f2e756778d85", + "id": "bundle--cc56f86f-dbec-415d-8d48-66718a3b7e2a", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--6c31c795-935a-41ad-8db1-d74430f4a553", "created": "2023-09-29T18:56:59.151Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:58.609Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", diff --git a/ics-attack/relationship/relationship--6c470aa0-b119-4078-80fc-2b66a4d6eac4.json b/ics-attack/relationship/relationship--6c470aa0-b119-4078-80fc-2b66a4d6eac4.json index f8f4ce8bc2..0997b86343 100644 --- a/ics-attack/relationship/relationship--6c470aa0-b119-4078-80fc-2b66a4d6eac4.json +++ b/ics-attack/relationship/relationship--6c470aa0-b119-4078-80fc-2b66a4d6eac4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ca620aec-e198-41fe-b6c0-230d4868306d", + "id": "bundle--4309c6b4-d682-4a1d-a337-21206cb4d9a9", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--6c470aa0-b119-4078-80fc-2b66a4d6eac4", "created": "2023-09-28T20:09:36.756Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:58.835Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--6c9c1c11-c996-4d2b-bbed-d73ae30efd2e.json b/ics-attack/relationship/relationship--6c9c1c11-c996-4d2b-bbed-d73ae30efd2e.json index 776bce4b3b..1a1423b8b9 100644 --- a/ics-attack/relationship/relationship--6c9c1c11-c996-4d2b-bbed-d73ae30efd2e.json +++ b/ics-attack/relationship/relationship--6c9c1c11-c996-4d2b-bbed-d73ae30efd2e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--efbc7f4d-ca7a-4860-a31d-99df12deab31", + "id": "bundle--e1fa3dfe-55bb-4e7a-8c23-19d675ecb503", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--6c9c1c11-c996-4d2b-bbed-d73ae30efd2e", "created": "2023-09-28T20:08:52.975Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:59.035Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--c785c026-4139-4c56-a6dd-cdd3ba75bab1.json b/ics-attack/relationship/relationship--6ce3bd17-de4c-4ff3-9f7d-ae30efae2b58.json similarity index 85% rename from ics-attack/relationship/relationship--c785c026-4139-4c56-a6dd-cdd3ba75bab1.json rename to ics-attack/relationship/relationship--6ce3bd17-de4c-4ff3-9f7d-ae30efae2b58.json index 46f2ed5b9b..8e6497d88f 100644 --- a/ics-attack/relationship/relationship--c785c026-4139-4c56-a6dd-cdd3ba75bab1.json +++ b/ics-attack/relationship/relationship--6ce3bd17-de4c-4ff3-9f7d-ae30efae2b58.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--0d378c34-5ff1-4253-b0d8-2ff77be0ad8b", + "id": "bundle--3f894862-a3a2-4a20-97c3-42227df0579d", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--c785c026-4139-4c56-a6dd-cdd3ba75bab1", + "id": "relationship--6ce3bd17-de4c-4ff3-9f7d-ae30efae2b58", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -23,10 +23,10 @@ "description": "In [Industroyer](https://attack.mitre.org/software/S0604) the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. (Citation: Anton Cherepanov, ESET June 2017)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "target_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6cf80e5b-075f-4220-83a5-dc471bb9244b.json b/ics-attack/relationship/relationship--6cf80e5b-075f-4220-83a5-dc471bb9244b.json index 2f5a7a8996..19f805eb6d 100644 --- a/ics-attack/relationship/relationship--6cf80e5b-075f-4220-83a5-dc471bb9244b.json +++ b/ics-attack/relationship/relationship--6cf80e5b-075f-4220-83a5-dc471bb9244b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fe642db4-267b-4569-b39a-0e3f890d7034", + "id": "bundle--ff412231-e160-4a34-b287-d21989ad282e", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--f9ea25e7-6e63-4ef1-a8ad-47a4a261e175", "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", diff --git a/ics-attack/relationship/relationship--6d1906b4-e815-4688-86f1-ce61d403f8c6.json b/ics-attack/relationship/relationship--6d1906b4-e815-4688-86f1-ce61d403f8c6.json index 3eaeb55971..560d58001e 100644 --- a/ics-attack/relationship/relationship--6d1906b4-e815-4688-86f1-ce61d403f8c6.json +++ b/ics-attack/relationship/relationship--6d1906b4-e815-4688-86f1-ce61d403f8c6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--caf6ce9e-8a0e-47b1-9552-cd9d829918c9", + "id": "bundle--b65700e8-c860-4875-a785-950fac6c866f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6d822f86-5793-403a-b176-5d533f6b81b3.json b/ics-attack/relationship/relationship--6d822f86-5793-403a-b176-5d533f6b81b3.json index 3936971f42..00e9a61acd 100644 --- a/ics-attack/relationship/relationship--6d822f86-5793-403a-b176-5d533f6b81b3.json +++ b/ics-attack/relationship/relationship--6d822f86-5793-403a-b176-5d533f6b81b3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fbe475b7-a379-4051-a72e-1d5007c49c1a", + "id": "bundle--bb9564cf-a5a6-45d0-a06a-6722327f4fc7", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--6d822f86-5793-403a-b176-5d533f6b81b3", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", diff --git a/ics-attack/relationship/relationship--68c5a109-9dab-4bf1-953f-05e891bb41ca.json b/ics-attack/relationship/relationship--6e37ae60-f8db-4305-8235-8711c6cb8a4a.json similarity index 78% rename from ics-attack/relationship/relationship--68c5a109-9dab-4bf1-953f-05e891bb41ca.json rename to ics-attack/relationship/relationship--6e37ae60-f8db-4305-8235-8711c6cb8a4a.json index 71591f7137..12c50ec4ce 100644 --- a/ics-attack/relationship/relationship--68c5a109-9dab-4bf1-953f-05e891bb41ca.json +++ b/ics-attack/relationship/relationship--6e37ae60-f8db-4305-8235-8711c6cb8a4a.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--9479f734-85cb-4d09-af8c-471875f6cf73", + "id": "bundle--88b44a0c-a801-4d15-b5f9-36cdfabb279e", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--68c5a109-9dab-4bf1-953f-05e891bb41ca", + "id": "relationship--6e37ae60-f8db-4305-8235-8711c6cb8a4a", "created": "2025-09-29T19:16:08.208Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -14,7 +14,7 @@ ], "modified": "2025-09-29T19:16:08.208Z", "relationship_type": "targets", - "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "source_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, diff --git a/ics-attack/relationship/relationship--6e5b9baf-8d51-4b1e-a0c4-09d4da904160.json b/ics-attack/relationship/relationship--6e5b9baf-8d51-4b1e-a0c4-09d4da904160.json new file mode 100644 index 0000000000..73936807d9 --- /dev/null +++ b/ics-attack/relationship/relationship--6e5b9baf-8d51-4b1e-a0c4-09d4da904160.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--2f5bfc1e-e6f2-47f3-b4c7-0d1f1548b4aa", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--6e5b9baf-8d51-4b1e-a0c4-09d4da904160", + "created": "2026-04-22T18:57:49.234Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T18:57:49.234Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6eafa3e9-f53f-43b5-ac24-1415b05b537f.json b/ics-attack/relationship/relationship--6eafa3e9-f53f-43b5-ac24-1415b05b537f.json index 0fd7384073..dc7edeb482 100644 --- a/ics-attack/relationship/relationship--6eafa3e9-f53f-43b5-ac24-1415b05b537f.json +++ b/ics-attack/relationship/relationship--6eafa3e9-f53f-43b5-ac24-1415b05b537f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--81386505-08f9-417d-9444-c752d0a3a4c8", + "id": "bundle--73c8af06-9831-4fd6-91ba-c5fd33eb1bd4", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--6eafa3e9-f53f-43b5-ac24-1415b05b537f", "created": "2024-03-26T15:42:22.024Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:00.601Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--6ec8c4c2-9bfc-43ef-a634-f43cb951e06e.json b/ics-attack/relationship/relationship--6ec8c4c2-9bfc-43ef-a634-f43cb951e06e.json new file mode 100644 index 0000000000..e0efeb52d0 --- /dev/null +++ b/ics-attack/relationship/relationship--6ec8c4c2-9bfc-43ef-a634-f43cb951e06e.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--5351bcaf-8f85-4e3f-a026-bdd0115ca44a", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--6ec8c4c2-9bfc-43ef-a634-f43cb951e06e", + "created": "2026-04-22T20:24:39.993Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:24:39.993Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6ed07095-c23a-4676-807f-a544deaeb274.json b/ics-attack/relationship/relationship--6ed07095-c23a-4676-807f-a544deaeb274.json index c6de43ee95..49f2fea817 100644 --- a/ics-attack/relationship/relationship--6ed07095-c23a-4676-807f-a544deaeb274.json +++ b/ics-attack/relationship/relationship--6ed07095-c23a-4676-807f-a544deaeb274.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6cd6fd4f-6ea8-4e81-90f7-8f1f6486829d", + "id": "bundle--d5e659c9-52cf-4ce8-af1d-ec73d15e6750", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--6ed07095-c23a-4676-807f-a544deaeb274", "created": "2021-04-12T18:49:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "McAfee Labs October 2019", diff --git a/ics-attack/relationship/relationship--6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d.json b/ics-attack/relationship/relationship--6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d.json index 30c7e66578..45afa28791 100644 --- a/ics-attack/relationship/relationship--6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d.json +++ b/ics-attack/relationship/relationship--6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bf89fd9e-a0fe-4571-ae92-e72217e6bc38", + "id": "bundle--86fb6379-c8a8-4e1d-a4ee-ff0bfe7d92a1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6f1479d9-dfd4-4baa-abd5-9847781ef9bf.json b/ics-attack/relationship/relationship--6f1479d9-dfd4-4baa-abd5-9847781ef9bf.json index 3142e0d74d..399b9fd00d 100644 --- a/ics-attack/relationship/relationship--6f1479d9-dfd4-4baa-abd5-9847781ef9bf.json +++ b/ics-attack/relationship/relationship--6f1479d9-dfd4-4baa-abd5-9847781ef9bf.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e388a179-29a3-4d3a-aa42-4e49fee0114d", + "id": "bundle--7b516408-0f80-4536-9f3f-5d43dba3aa30", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--6f1479d9-dfd4-4baa-abd5-9847781ef9bf", "created": "2023-09-29T17:41:50.116Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:01.272Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--6f269b4c-b338-4b62-8a1a-f08268999b5c.json b/ics-attack/relationship/relationship--6f269b4c-b338-4b62-8a1a-f08268999b5c.json new file mode 100644 index 0000000000..e99471d99c --- /dev/null +++ b/ics-attack/relationship/relationship--6f269b4c-b338-4b62-8a1a-f08268999b5c.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--6030ada4-a910-4ef5-95ee-c2ca091be45e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--6f269b4c-b338-4b62-8a1a-f08268999b5c", + "created": "2026-04-23T00:01:57.093Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:01:57.093Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f.json b/ics-attack/relationship/relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f.json index 6d6c7a453b..880a5f5304 100644 --- a/ics-attack/relationship/relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f.json +++ b/ics-attack/relationship/relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f4217de8-fd24-47ec-9541-cc0524bae67c", + "id": "bundle--bd5c7887-7f5c-445e-b4e0-3a36119a2d12", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6f2ddada-d7df-4788-b5d1-9add185142e0.json b/ics-attack/relationship/relationship--6f2ddada-d7df-4788-b5d1-9add185142e0.json index 17793c5475..94bef57f1f 100644 --- a/ics-attack/relationship/relationship--6f2ddada-d7df-4788-b5d1-9add185142e0.json +++ b/ics-attack/relationship/relationship--6f2ddada-d7df-4788-b5d1-9add185142e0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e5aa7eb3-8b5f-405c-8cd3-9e2732d081ff", + "id": "bundle--8c453f52-51f9-4819-a48c-b007adf36d7c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--6f2ddada-d7df-4788-b5d1-9add185142e0", "created": "2023-09-28T20:02:57.330Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:01.724Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--6f72c60e-2739-40b6-b6a9-66d2a3d1833e.json b/ics-attack/relationship/relationship--6f72c60e-2739-40b6-b6a9-66d2a3d1833e.json index a100701b7f..fba593581a 100644 --- a/ics-attack/relationship/relationship--6f72c60e-2739-40b6-b6a9-66d2a3d1833e.json +++ b/ics-attack/relationship/relationship--6f72c60e-2739-40b6-b6a9-66d2a3d1833e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e8bdd074-2a35-4df7-aae5-8fab59383e1a", + "id": "bundle--b906b6ca-f227-471b-9d0c-5fe197d7e5ac", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--6f72c60e-2739-40b6-b6a9-66d2a3d1833e", "created": "2023-09-28T21:27:14.172Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:01.937Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1.json b/ics-attack/relationship/relationship--6f815d4c-0512-4d92-bcdf-068034233048.json similarity index 74% rename from ics-attack/relationship/relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1.json rename to ics-attack/relationship/relationship--6f815d4c-0512-4d92-bcdf-068034233048.json index 75a5b186e4..3c1bfd75ae 100644 --- a/ics-attack/relationship/relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1.json +++ b/ics-attack/relationship/relationship--6f815d4c-0512-4d92-bcdf-068034233048.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--7cf3a45a-953a-4fec-9d12-59d3ca003f81", + "id": "bundle--503c1482-d2cd-4b2b-871f-9d818896ca73", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1", + "id": "relationship--6f815d4c-0512-4d92-bcdf-068034233048", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "Implement network allowlists to minimize serial comm port access to only authorized hosts, such as comm servers and RTUs.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6f950c91-125b-46a0-aa40-239b4de2306a.json b/ics-attack/relationship/relationship--6f950c91-125b-46a0-aa40-239b4de2306a.json index 402235469f..021693a031 100644 --- a/ics-attack/relationship/relationship--6f950c91-125b-46a0-aa40-239b4de2306a.json +++ b/ics-attack/relationship/relationship--6f950c91-125b-46a0-aa40-239b4de2306a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--75a74ed7-5576-4b4e-95e3-04b4964b6f5c", + "id": "bundle--d1bdf78b-442f-4d28-8481-1685a1ad0449", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--6f950c91-125b-46a0-aa40-239b4de2306a", "created": "2023-09-28T21:14:03.305Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:02.130Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--6f9e3f69-ac1c-479e-ae2d-73dd1413d4dd.json b/ics-attack/relationship/relationship--6f9e3f69-ac1c-479e-ae2d-73dd1413d4dd.json index c1263a2fc7..94e022fc2c 100644 --- a/ics-attack/relationship/relationship--6f9e3f69-ac1c-479e-ae2d-73dd1413d4dd.json +++ b/ics-attack/relationship/relationship--6f9e3f69-ac1c-479e-ae2d-73dd1413d4dd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ca6b2b81-8ef1-4ed8-8c60-f8c8b1304210", + "id": "bundle--7e112d36-6a7b-4cb6-b146-f6d93366db12", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--6f9e3f69-ac1c-479e-ae2d-73dd1413d4dd", "created": "2024-09-11T23:00:00.833Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Claroty Fuxnet 2024", diff --git a/ics-attack/relationship/relationship--6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00.json b/ics-attack/relationship/relationship--6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00.json index 5d1eac5599..6cdc522fb1 100644 --- a/ics-attack/relationship/relationship--6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00.json +++ b/ics-attack/relationship/relationship--6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--630b1523-838f-42b3-b2ad-4c554e072d3f", + "id": "bundle--45ab7e12-0dcb-4af5-aac5-c67089bbb7a9", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", diff --git a/ics-attack/relationship/relationship--3fb86696-1d56-42d5-a73d-044a78b588fe.json b/ics-attack/relationship/relationship--6fb4c5ec-4079-4419-a098-6e3cf026c360.json similarity index 85% rename from ics-attack/relationship/relationship--3fb86696-1d56-42d5-a73d-044a78b588fe.json rename to ics-attack/relationship/relationship--6fb4c5ec-4079-4419-a098-6e3cf026c360.json index 0b53e49d02..ef1aefbf04 100644 --- a/ics-attack/relationship/relationship--3fb86696-1d56-42d5-a73d-044a78b588fe.json +++ b/ics-attack/relationship/relationship--6fb4c5ec-4079-4419-a098-6e3cf026c360.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--7fad7149-edb6-4cd3-bc3c-fe2a829cd03b", + "id": "bundle--fe4b41c2-bc4c-4f26-9e8b-6f70b1c54aec", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--3fb86696-1d56-42d5-a73d-044a78b588fe", + "id": "relationship--6fb4c5ec-4079-4419-a098-6e3cf026c360", "created": "2023-09-27T14:54:12.586Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -23,10 +23,10 @@ "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) overwrote the serial-to-ethernet converter firmware, rendering the devices not operational. This meant that communication to the downstream serial devices was either not possible or more difficult. (Citation: Booz Allen Hamilton)", "relationship_type": "uses", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6ff846b1-9444-45f1-837a-4eeeb16bdfe7.json b/ics-attack/relationship/relationship--6ff846b1-9444-45f1-837a-4eeeb16bdfe7.json index bd46a4df77..1cc2b7663a 100644 --- a/ics-attack/relationship/relationship--6ff846b1-9444-45f1-837a-4eeeb16bdfe7.json +++ b/ics-attack/relationship/relationship--6ff846b1-9444-45f1-837a-4eeeb16bdfe7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2748baa7-8c7f-424c-a039-55a003925477", + "id": "bundle--cc8cd886-7790-44e9-a88a-6d4309e7385c", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--6ff846b1-9444-45f1-837a-4eeeb16bdfe7", "created": "2023-03-30T19:25:22.673Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Industroyer2 Forescout July 2022", diff --git a/ics-attack/relationship/relationship--d08fdedd-12f6-4681-9167-70d070432dee.json b/ics-attack/relationship/relationship--703adc98-d4d1-409e-bf20-4e65921ae52f.json similarity index 77% rename from ics-attack/relationship/relationship--d08fdedd-12f6-4681-9167-70d070432dee.json rename to ics-attack/relationship/relationship--703adc98-d4d1-409e-bf20-4e65921ae52f.json index 5f043dcdba..17832cb464 100644 --- a/ics-attack/relationship/relationship--d08fdedd-12f6-4681-9167-70d070432dee.json +++ b/ics-attack/relationship/relationship--703adc98-d4d1-409e-bf20-4e65921ae52f.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--3312c1ca-8ff8-4139-89c1-7b9ccf5b7a03", + "id": "bundle--3ef48a62-2a04-4a65-80a4-12e54a090177", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--d08fdedd-12f6-4681-9167-70d070432dee", + "id": "relationship--703adc98-d4d1-409e-bf20-4e65921ae52f", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "target_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--7041d8e5-3b74-402a-86b3-fd59def80632.json b/ics-attack/relationship/relationship--7041d8e5-3b74-402a-86b3-fd59def80632.json index 719010c100..c244c1679c 100644 --- a/ics-attack/relationship/relationship--7041d8e5-3b74-402a-86b3-fd59def80632.json +++ b/ics-attack/relationship/relationship--7041d8e5-3b74-402a-86b3-fd59def80632.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c95c1fca-406a-4c6a-bfdc-50b3f50f110b", + "id": "bundle--1cc7afdd-7d88-4ba7-a81c-3abcf844efb3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ebb27a0d-c1cc-403f-aea0-6bc90aa52cfe.json b/ics-attack/relationship/relationship--706bf21c-0722-43b3-8729-60370f648796.json similarity index 75% rename from ics-attack/relationship/relationship--ebb27a0d-c1cc-403f-aea0-6bc90aa52cfe.json rename to ics-attack/relationship/relationship--706bf21c-0722-43b3-8729-60370f648796.json index 93cfec5123..1516b0106b 100644 --- a/ics-attack/relationship/relationship--ebb27a0d-c1cc-403f-aea0-6bc90aa52cfe.json +++ b/ics-attack/relationship/relationship--706bf21c-0722-43b3-8729-60370f648796.json @@ -1,21 +1,21 @@ { "type": "bundle", - "id": "bundle--65d1aba9-6d75-4528-a792-c2d52d8b62c8", + "id": "bundle--7f14beaa-525c-47bd-858e-b2b5a8a7053b", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--ebb27a0d-c1cc-403f-aea0-6bc90aa52cfe", + "id": "relationship--706bf21c-0722-43b3-8729-60370f648796", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--e69d1e15-76e1-434c-bd45-0354a10dde8a", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" diff --git a/ics-attack/relationship/relationship--709c4e40-c5c6-405b-bc3d-0adfea40ccd4.json b/ics-attack/relationship/relationship--709c4e40-c5c6-405b-bc3d-0adfea40ccd4.json index 79670b7d33..246162d188 100644 --- a/ics-attack/relationship/relationship--709c4e40-c5c6-405b-bc3d-0adfea40ccd4.json +++ b/ics-attack/relationship/relationship--709c4e40-c5c6-405b-bc3d-0adfea40ccd4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--86ff8077-6bac-4270-ad45-23555cbabe34", + "id": "bundle--ea34f74b-abbb-4bca-a7ad-725ca70727d5", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--709c4e40-c5c6-405b-bc3d-0adfea40ccd4", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "DHS CISA February 2019", diff --git a/ics-attack/relationship/relationship--71422483-33e4-4131-a4ec-40322d91d8a0.json b/ics-attack/relationship/relationship--71422483-33e4-4131-a4ec-40322d91d8a0.json index 2febc838c8..b5368b3cf6 100644 --- a/ics-attack/relationship/relationship--71422483-33e4-4131-a4ec-40322d91d8a0.json +++ b/ics-attack/relationship/relationship--71422483-33e4-4131-a4ec-40322d91d8a0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eb18741a-2a5b-46d3-8436-da9403b2d41e", + "id": "bundle--a810ed6c-bfd0-4e21-aa7e-eeaca3420a8b", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--71422483-33e4-4131-a4ec-40322d91d8a0", "created": "2019-06-24T17:20:24.258Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Catalin Cimpanu April 2016", diff --git a/ics-attack/relationship/relationship--71a2c3f5-7383-4bd8-a830-dc2aae62a977.json b/ics-attack/relationship/relationship--71a2c3f5-7383-4bd8-a830-dc2aae62a977.json index 3826f2b91f..53581e0001 100644 --- a/ics-attack/relationship/relationship--71a2c3f5-7383-4bd8-a830-dc2aae62a977.json +++ b/ics-attack/relationship/relationship--71a2c3f5-7383-4bd8-a830-dc2aae62a977.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--767be4f7-ab7f-494e-bdfd-b912d9b74296", + "id": "bundle--a4f4aaba-bc85-4c14-98f9-30716e2547f2", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--71a2c3f5-7383-4bd8-a830-dc2aae62a977", "created": "2023-09-28T19:55:37.459Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:04.320Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--71c9db9c-6f0c-4e33-a20a-dcd5b791a49a.json b/ics-attack/relationship/relationship--71c9db9c-6f0c-4e33-a20a-dcd5b791a49a.json index 7ce4f90fc5..1acb84082c 100644 --- a/ics-attack/relationship/relationship--71c9db9c-6f0c-4e33-a20a-dcd5b791a49a.json +++ b/ics-attack/relationship/relationship--71c9db9c-6f0c-4e33-a20a-dcd5b791a49a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--56eac4e0-a62f-4bc7-8252-1a2ae92b177c", + "id": "bundle--2f88e7d6-ccb7-49c0-81cd-197ae581b8c5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--71e9230d-eec8-4ce1-bc96-9288bacc8b13.json b/ics-attack/relationship/relationship--71e9230d-eec8-4ce1-bc96-9288bacc8b13.json index 3dc17b4e28..b3aa8ff83b 100644 --- a/ics-attack/relationship/relationship--71e9230d-eec8-4ce1-bc96-9288bacc8b13.json +++ b/ics-attack/relationship/relationship--71e9230d-eec8-4ce1-bc96-9288bacc8b13.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bfe87634-c1d5-4b22-93e4-6a070de504ba", + "id": "bundle--73d9db48-08f5-4aae-ae6f-14721177cf41", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--71e9230d-eec8-4ce1-bc96-9288bacc8b13", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--71f61677-4406-4484-bacb-c8de82c7e1bd.json b/ics-attack/relationship/relationship--71f61677-4406-4484-bacb-c8de82c7e1bd.json new file mode 100644 index 0000000000..dc2a2866dc --- /dev/null +++ b/ics-attack/relationship/relationship--71f61677-4406-4484-bacb-c8de82c7e1bd.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--20f663cd-93ab-4356-a048-d3ed027ec4d8", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--71f61677-4406-4484-bacb-c8de82c7e1bd", + "created": "2026-04-22T14:33:24.324Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T14:33:24.324Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--f487a605-0acb-4b12-b157-33b75ebd9a40", + "target_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--7200f777-0ddd-4c9c-a022-26d49ea524d3.json b/ics-attack/relationship/relationship--7200f777-0ddd-4c9c-a022-26d49ea524d3.json index 2d11c913c3..cfbd97c9af 100644 --- a/ics-attack/relationship/relationship--7200f777-0ddd-4c9c-a022-26d49ea524d3.json +++ b/ics-attack/relationship/relationship--7200f777-0ddd-4c9c-a022-26d49ea524d3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9214d4fe-6b1f-4a2c-91a9-7343df80a7f2", + "id": "bundle--23435c1b-50b8-44e6-a2a6-ac59eef182c7", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--7200f777-0ddd-4c9c-a022-26d49ea524d3", "created": "2024-09-11T23:00:48.583Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Claroty Fuxnet 2024", diff --git a/ics-attack/relationship/relationship--7258c355-677c-452d-b1fc-27767232437b.json b/ics-attack/relationship/relationship--7258c355-677c-452d-b1fc-27767232437b.json index f00611dcf1..66ae7989c1 100644 --- a/ics-attack/relationship/relationship--7258c355-677c-452d-b1fc-27767232437b.json +++ b/ics-attack/relationship/relationship--7258c355-677c-452d-b1fc-27767232437b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0299da85-a1d0-40f3-80bd-f0f8761035ed", + "id": "bundle--2fd1e346-1ee3-42c7-8845-2785aa17c579", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--7258c355-677c-452d-b1fc-27767232437b", "created": "2019-03-26T16:19:52.358Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "David Voreacos, Katherine Chinglinsky, Riley Griffin December 2019", diff --git a/ics-attack/relationship/relationship--43bdf580-b98f-49cf-92d5-3dac50450c86.json b/ics-attack/relationship/relationship--72848957-910f-4fa5-8a59-383c0a9dae62.json similarity index 74% rename from ics-attack/relationship/relationship--43bdf580-b98f-49cf-92d5-3dac50450c86.json rename to ics-attack/relationship/relationship--72848957-910f-4fa5-8a59-383c0a9dae62.json index dd8086f7ad..74ed127b16 100644 --- a/ics-attack/relationship/relationship--43bdf580-b98f-49cf-92d5-3dac50450c86.json +++ b/ics-attack/relationship/relationship--72848957-910f-4fa5-8a59-383c0a9dae62.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--48aa1a74-15de-46bf-993b-e99f8bc0eb28", + "id": "bundle--b5eae95c-551e-4a71-a642-bafe8735eefc", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--43bdf580-b98f-49cf-92d5-3dac50450c86", + "id": "relationship--72848957-910f-4fa5-8a59-383c0a9dae62", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--730580d4-d68c-407f-9d09-f379e9aefc7e.json b/ics-attack/relationship/relationship--730580d4-d68c-407f-9d09-f379e9aefc7e.json index ab217fe3a4..f9d78bd6a2 100644 --- a/ics-attack/relationship/relationship--730580d4-d68c-407f-9d09-f379e9aefc7e.json +++ b/ics-attack/relationship/relationship--730580d4-d68c-407f-9d09-f379e9aefc7e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5e16706e-e742-4fa2-b9f9-d5b0132ae56b", + "id": "bundle--88d9420f-9c40-4d83-9f60-185c6bb326c6", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--730580d4-d68c-407f-9d09-f379e9aefc7e", "created": "2023-03-30T19:25:41.475Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Industroyer2 Forescout July 2022", diff --git a/ics-attack/relationship/relationship--73093c08-ea39-4956-8bff-55e15f6630cd.json b/ics-attack/relationship/relationship--73093c08-ea39-4956-8bff-55e15f6630cd.json index 339e865668..cf196523b1 100644 --- a/ics-attack/relationship/relationship--73093c08-ea39-4956-8bff-55e15f6630cd.json +++ b/ics-attack/relationship/relationship--73093c08-ea39-4956-8bff-55e15f6630cd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9171bfb3-6df0-427e-a553-9a8dc61e1165", + "id": "bundle--76df5414-4f2c-4bb0-a161-c65da9a78930", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--73093c08-ea39-4956-8bff-55e15f6630cd", "created": "2023-09-28T20:07:59.785Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:05.863Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--73856fa4-5abb-4341-bf51-1874cc1e6c26.json b/ics-attack/relationship/relationship--73856fa4-5abb-4341-bf51-1874cc1e6c26.json new file mode 100644 index 0000000000..5b22b13bb3 --- /dev/null +++ b/ics-attack/relationship/relationship--73856fa4-5abb-4341-bf51-1874cc1e6c26.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--856ecf9a-15ce-4480-b3d1-f88dbfcf1f08", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--73856fa4-5abb-4341-bf51-1874cc1e6c26", + "created": "2026-04-22T20:25:39.530Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:25:39.530Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries corrupted the firmware in the Hitachi RTUs resulting in a fault that triggered a reboot loop.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--739e7b8d-57d7-4c1d-8f42-1496606ea666.json b/ics-attack/relationship/relationship--739e7b8d-57d7-4c1d-8f42-1496606ea666.json index 488143e154..71ec2e94c6 100644 --- a/ics-attack/relationship/relationship--739e7b8d-57d7-4c1d-8f42-1496606ea666.json +++ b/ics-attack/relationship/relationship--739e7b8d-57d7-4c1d-8f42-1496606ea666.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2ab58e4e-96ba-47f6-bb3e-a27ae896eb87", + "id": "bundle--7a4189d4-5df6-494d-8fb5-fe62fb7f4f88", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--739e7b8d-57d7-4c1d-8f42-1496606ea666", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos", diff --git a/ics-attack/relationship/relationship--73c358d5-f4ce-4ce5-aa3d-d2ede8aff148.json b/ics-attack/relationship/relationship--73c358d5-f4ce-4ce5-aa3d-d2ede8aff148.json index 1a6176ff2c..cdd87ba58a 100644 --- a/ics-attack/relationship/relationship--73c358d5-f4ce-4ce5-aa3d-d2ede8aff148.json +++ b/ics-attack/relationship/relationship--73c358d5-f4ce-4ce5-aa3d-d2ede8aff148.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d5643f7a-ac34-4c2f-adea-61605b9774cb", + "id": "bundle--83dc4f71-8f82-47c6-968e-0759f90c7b8d", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--73c358d5-f4ce-4ce5-aa3d-d2ede8aff148", "created": "2024-03-25T20:17:16.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:06.534Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--73dbe470-0d10-493b-b0ae-241da7dc0b58.json b/ics-attack/relationship/relationship--73dbe470-0d10-493b-b0ae-241da7dc0b58.json new file mode 100644 index 0000000000..d679fc3e56 --- /dev/null +++ b/ics-attack/relationship/relationship--73dbe470-0d10-493b-b0ae-241da7dc0b58.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--30f9b3d5-c188-443e-82c7-0c9f7a515301", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--73dbe470-0d10-493b-b0ae-241da7dc0b58", + "created": "2026-04-22T17:59:55.913Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T16:31:55.578Z", + "description": "Use network intrusion detection/prevention systems to detect and prevent port scans.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", + "target_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--fd7247a4-b299-4948-a3b0-9b43f4f41ae0.json b/ics-attack/relationship/relationship--73eaa82f-9ab0-430d-86b8-64ea85b18c91.json similarity index 85% rename from ics-attack/relationship/relationship--fd7247a4-b299-4948-a3b0-9b43f4f41ae0.json rename to ics-attack/relationship/relationship--73eaa82f-9ab0-430d-86b8-64ea85b18c91.json index 327a981720..97746a0653 100644 --- a/ics-attack/relationship/relationship--fd7247a4-b299-4948-a3b0-9b43f4f41ae0.json +++ b/ics-attack/relationship/relationship--73eaa82f-9ab0-430d-86b8-64ea85b18c91.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--c9c6db58-c9a2-42b5-82d0-874e7fce8ac4", + "id": "bundle--52322c8b-ac7d-40a9-b625-de6862dfe8b5", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--fd7247a4-b299-4948-a3b0-9b43f4f41ae0", + "id": "relationship--73eaa82f-9ab0-430d-86b8-64ea85b18c91", "created": "2024-03-28T14:29:46.095Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -23,10 +23,10 @@ "description": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) leveraged [Triton](https://attack.mitre.org/software/S1009) to send unauthorized command messages to the Triconex safety controllers.(Citation: FireEye TRITON 2018)", "relationship_type": "uses", "source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5.json b/ics-attack/relationship/relationship--73ed52f4-4a98-47e7-84bf-5eae555d999d.json similarity index 76% rename from ics-attack/relationship/relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5.json rename to ics-attack/relationship/relationship--73ed52f4-4a98-47e7-84bf-5eae555d999d.json index 2f10a31243..07e01da278 100644 --- a/ics-attack/relationship/relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5.json +++ b/ics-attack/relationship/relationship--73ed52f4-4a98-47e7-84bf-5eae555d999d.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--c974eab6-b3ec-4673-8d24-aa139a730fac", + "id": "bundle--eeb69abf-678e-46e3-84db-56808d9f86a6", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5", + "id": "relationship--73ed52f4-4a98-47e7-84bf-5eae555d999d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "target_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--740082b7-2411-473a-a59d-4d46cf12f8b5.json b/ics-attack/relationship/relationship--740082b7-2411-473a-a59d-4d46cf12f8b5.json index 06ce901619..cf117f41dd 100644 --- a/ics-attack/relationship/relationship--740082b7-2411-473a-a59d-4d46cf12f8b5.json +++ b/ics-attack/relationship/relationship--740082b7-2411-473a-a59d-4d46cf12f8b5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--041e8508-2b34-4291-836d-66e8c88411a0", + "id": "bundle--1e8a74f1-3088-4701-a248-ce3853d00285", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--740082b7-2411-473a-a59d-4d46cf12f8b5", "created": "2023-09-29T18:45:01.516Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:06.769Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--7411b05d-209a-4907-83ce-00ab1538fbac.json b/ics-attack/relationship/relationship--7411b05d-209a-4907-83ce-00ab1538fbac.json index 17473d8d52..bc6ce49cb9 100644 --- a/ics-attack/relationship/relationship--7411b05d-209a-4907-83ce-00ab1538fbac.json +++ b/ics-attack/relationship/relationship--7411b05d-209a-4907-83ce-00ab1538fbac.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--765af26e-e73f-4015-a5db-9db3f55c02fe", + "id": "bundle--3f158bb6-350a-46d3-ad4f-f36e8c1c2969", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--745b5268-f2b3-499c-a6a4-63d7e8667ff7.json b/ics-attack/relationship/relationship--745b5268-f2b3-499c-a6a4-63d7e8667ff7.json index 899383a014..33d74b7c67 100644 --- a/ics-attack/relationship/relationship--745b5268-f2b3-499c-a6a4-63d7e8667ff7.json +++ b/ics-attack/relationship/relationship--745b5268-f2b3-499c-a6a4-63d7e8667ff7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fc430d73-808e-4ab9-a3c6-70f4b4305976", + "id": "bundle--437b1727-f377-444c-b305-0e4d7b6379b3", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--745b5268-f2b3-499c-a6a4-63d7e8667ff7", "created": "2023-09-29T17:57:23.090Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:07.186Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--74a6f16c-3a23-4cac-8592-fc363960f9df.json b/ics-attack/relationship/relationship--74a6f16c-3a23-4cac-8592-fc363960f9df.json new file mode 100644 index 0000000000..6eb4e08add --- /dev/null +++ b/ics-attack/relationship/relationship--74a6f16c-3a23-4cac-8592-fc363960f9df.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--f17ebb9d-17e4-42e1-b3f9-70f898c7f2d4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--74a6f16c-3a23-4cac-8592-fc363960f9df", + "created": "2026-04-22T20:17:57.960Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:17:57.960Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--74b66248-2cb6-46ea-b52c-c7d60c170f3f.json b/ics-attack/relationship/relationship--74b66248-2cb6-46ea-b52c-c7d60c170f3f.json index cbb0a132a8..2e3e31eb51 100644 --- a/ics-attack/relationship/relationship--74b66248-2cb6-46ea-b52c-c7d60c170f3f.json +++ b/ics-attack/relationship/relationship--74b66248-2cb6-46ea-b52c-c7d60c170f3f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4d38d1b0-f8ca-4f0e-b3b8-71a9357bacce", + "id": "bundle--3013fe1b-5a9e-466c-a8c7-22b35dfe3be9", "spec_version": "2.0", "objects": [ { @@ -19,14 +19,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:03:07.420Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) has the ability to halt or run a program through the TriStation protocol. TsHi.py contains instances of halt and run functions being executed. (Citation: MDudek-ICS)", + "modified": "2026-04-17T16:33:22.188Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) has the ability to halt or run a program through the TriStation protocol. TsHi.py contains instances of halt and run functions being executed.(Citation: MDudek-ICS)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--74ec9ce5-3155-488c-ae56-570c47a1d207.json b/ics-attack/relationship/relationship--74ec9ce5-3155-488c-ae56-570c47a1d207.json index ab571d4082..bf6e576e53 100644 --- a/ics-attack/relationship/relationship--74ec9ce5-3155-488c-ae56-570c47a1d207.json +++ b/ics-attack/relationship/relationship--74ec9ce5-3155-488c-ae56-570c47a1d207.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dfa09839-77a4-4336-9311-12c0cf3212c4", + "id": "bundle--73caab4d-5ee1-4bf7-ac6c-9f13bbe55428", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--75366cbf-e45f-4cfd-9e76-5af4dfe10766.json b/ics-attack/relationship/relationship--75366cbf-e45f-4cfd-9e76-5af4dfe10766.json index 443f5b9b0e..aeeb773c7b 100644 --- a/ics-attack/relationship/relationship--75366cbf-e45f-4cfd-9e76-5af4dfe10766.json +++ b/ics-attack/relationship/relationship--75366cbf-e45f-4cfd-9e76-5af4dfe10766.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1e1f7b57-534f-4fab-a944-9807aa7d8ab4", + "id": "bundle--040eec3d-ea57-484a-b399-95b345c24110", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--754521fc-4306-4daa-831b-6b6fb45847e2.json b/ics-attack/relationship/relationship--754521fc-4306-4daa-831b-6b6fb45847e2.json index 1774af130a..349081242c 100644 --- a/ics-attack/relationship/relationship--754521fc-4306-4daa-831b-6b6fb45847e2.json +++ b/ics-attack/relationship/relationship--754521fc-4306-4daa-831b-6b6fb45847e2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--293320a6-8a01-45b2-b78b-366d78f833bb", + "id": "bundle--6a83e696-db18-49d7-98cf-03c20e4ab7c3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7584e57f-1258-4c47-b18d-99019a586e6c.json b/ics-attack/relationship/relationship--7584e57f-1258-4c47-b18d-99019a586e6c.json index ff13a4ae81..6916b90555 100644 --- a/ics-attack/relationship/relationship--7584e57f-1258-4c47-b18d-99019a586e6c.json +++ b/ics-attack/relationship/relationship--7584e57f-1258-4c47-b18d-99019a586e6c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--390d05d1-93d1-45a4-b651-f1dd791f8e39", + "id": "bundle--a6c6e643-c1ab-426f-bfce-70f7d4a222eb", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--7584e57f-1258-4c47-b18d-99019a586e6c", "created": "2023-09-28T21:16:35.382Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:08.328Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--758773e3-d23d-44db-b5d3-643cde5b41f1.json b/ics-attack/relationship/relationship--758773e3-d23d-44db-b5d3-643cde5b41f1.json index 55c74b84d0..98ceb69a27 100644 --- a/ics-attack/relationship/relationship--758773e3-d23d-44db-b5d3-643cde5b41f1.json +++ b/ics-attack/relationship/relationship--758773e3-d23d-44db-b5d3-643cde5b41f1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--62556c1c-3200-4f27-998d-d525e011eb29", + "id": "bundle--b6da3cc1-571a-4477-884c-59d08b418f0e", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--758773e3-d23d-44db-b5d3-643cde5b41f1", "created": "2023-09-28T19:45:07.511Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:08.526Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--758d5818-f919-4a6b-9dc2-a212595a11bd.json b/ics-attack/relationship/relationship--758d5818-f919-4a6b-9dc2-a212595a11bd.json index 21a639eb5d..6e99512602 100644 --- a/ics-attack/relationship/relationship--758d5818-f919-4a6b-9dc2-a212595a11bd.json +++ b/ics-attack/relationship/relationship--758d5818-f919-4a6b-9dc2-a212595a11bd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--18cfb267-121c-4010-bba3-5a2febb644c0", + "id": "bundle--cafdedc3-5db1-45a2-b3e9-297b93dcfc29", "spec_version": "2.0", "objects": [ { @@ -8,18 +8,17 @@ "id": "relationship--758d5818-f919-4a6b-9dc2-a212595a11bd", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:03:08.752Z", - "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", + "modified": "2025-12-24T17:47:04.871Z", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--75911ed1-3cd0-485d-8130-3aae06712f4a.json b/ics-attack/relationship/relationship--75911ed1-3cd0-485d-8130-3aae06712f4a.json new file mode 100644 index 0000000000..01b22f40fd --- /dev/null +++ b/ics-attack/relationship/relationship--75911ed1-3cd0-485d-8130-3aae06712f4a.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--fd1d413c-4412-42d1-ba2a-ae97d9dfb4d8", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--75911ed1-3cd0-485d-8130-3aae06712f4a", + "created": "2026-04-22T13:48:07.154Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T13:48:07.154Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0628c6a0-f799-44c4-b68a-95d32d244763.json b/ics-attack/relationship/relationship--75b17842-7614-4c52-9a78-db096f8b653c.json similarity index 78% rename from ics-attack/relationship/relationship--0628c6a0-f799-44c4-b68a-95d32d244763.json rename to ics-attack/relationship/relationship--75b17842-7614-4c52-9a78-db096f8b653c.json index 999abf66e8..4b6b6a1a88 100644 --- a/ics-attack/relationship/relationship--0628c6a0-f799-44c4-b68a-95d32d244763.json +++ b/ics-attack/relationship/relationship--75b17842-7614-4c52-9a78-db096f8b653c.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--195bf6f8-b21e-404b-bc19-df1df603fe9f", + "id": "bundle--543e2ec9-6603-40f4-9ada-e9469dd21a69", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--0628c6a0-f799-44c4-b68a-95d32d244763", + "id": "relationship--75b17842-7614-4c52-9a78-db096f8b653c", "created": "2025-09-29T21:56:50.121Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -14,7 +14,7 @@ ], "modified": "2025-09-29T21:56:50.121Z", "relationship_type": "targets", - "source_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "source_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, diff --git a/ics-attack/relationship/relationship--75c27f4e-d1e3-490a-9793-a6fc8e326a48.json b/ics-attack/relationship/relationship--75c27f4e-d1e3-490a-9793-a6fc8e326a48.json index e0cbfcc10c..87f763fbaf 100644 --- a/ics-attack/relationship/relationship--75c27f4e-d1e3-490a-9793-a6fc8e326a48.json +++ b/ics-attack/relationship/relationship--75c27f4e-d1e3-490a-9793-a6fc8e326a48.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--64098456-01eb-4952-80e9-d63da28cbd9a", + "id": "bundle--cbb42c79-da27-4a89-a667-0ce3fa3bac0a", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--75c27f4e-d1e3-490a-9793-a6fc8e326a48", "created": "2023-09-29T17:06:33.098Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:09.180Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", diff --git a/ics-attack/relationship/relationship--75e6adae-06a7-47e9-878e-74ca73004c3b.json b/ics-attack/relationship/relationship--75e6adae-06a7-47e9-878e-74ca73004c3b.json index f46f3d6b97..6a38b17dea 100644 --- a/ics-attack/relationship/relationship--75e6adae-06a7-47e9-878e-74ca73004c3b.json +++ b/ics-attack/relationship/relationship--75e6adae-06a7-47e9-878e-74ca73004c3b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b8e899b1-2d5a-4537-b532-1cae57a91733", + "id": "bundle--5daa4830-2633-4f9b-bb4e-950e80dcbe11", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--75e6adae-06a7-47e9-878e-74ca73004c3b", "created": "2023-09-28T20:30:01.641Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:09.421Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--75f486d8-c651-40ba-8e2e-81ee6c924ffc.json b/ics-attack/relationship/relationship--75f486d8-c651-40ba-8e2e-81ee6c924ffc.json index f0eee02475..5fb913b010 100644 --- a/ics-attack/relationship/relationship--75f486d8-c651-40ba-8e2e-81ee6c924ffc.json +++ b/ics-attack/relationship/relationship--75f486d8-c651-40ba-8e2e-81ee6c924ffc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dd167f4e-e544-4501-8557-cc2585ae59ff", + "id": "bundle--2e45e814-e6c1-451f-844b-727e2b19f1a7", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--75f486d8-c651-40ba-8e2e-81ee6c924ffc", "created": "2025-09-29T21:56:11.885Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--76537fd7-5782-4a8d-9b54-117b168a4306.json b/ics-attack/relationship/relationship--76537fd7-5782-4a8d-9b54-117b168a4306.json index aa41c87252..2e3f53f1a5 100644 --- a/ics-attack/relationship/relationship--76537fd7-5782-4a8d-9b54-117b168a4306.json +++ b/ics-attack/relationship/relationship--76537fd7-5782-4a8d-9b54-117b168a4306.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2d79b6fd-457f-4d37-885c-eb2889daccd4", + "id": "bundle--c78a3ad5-9f00-4158-9dcc-3627b2596664", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--76537fd7-5782-4a8d-9b54-117b168a4306", "created": "2023-09-29T16:38:51.155Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:09.631Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--768b6ce0-8b1c-4424-a9e7-ee659a948fa9.json b/ics-attack/relationship/relationship--768b6ce0-8b1c-4424-a9e7-ee659a948fa9.json index 28942f075c..6a884e25b8 100644 --- a/ics-attack/relationship/relationship--768b6ce0-8b1c-4424-a9e7-ee659a948fa9.json +++ b/ics-attack/relationship/relationship--768b6ce0-8b1c-4424-a9e7-ee659a948fa9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2f291565-525d-4ca1-a1ea-bffb963acab6", + "id": "bundle--c05d218b-2469-4af3-862b-075d822c74f6", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--768b6ce0-8b1c-4424-a9e7-ee659a948fa9", "created": "2025-09-24T18:20:40.018Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--bc1e1980-8acf-4505-8142-d382d83421d4.json b/ics-attack/relationship/relationship--76cf41a1-f340-401c-b640-bf7fe5143f56.json similarity index 78% rename from ics-attack/relationship/relationship--bc1e1980-8acf-4505-8142-d382d83421d4.json rename to ics-attack/relationship/relationship--76cf41a1-f340-401c-b640-bf7fe5143f56.json index ac084d6af1..c9fc4288eb 100644 --- a/ics-attack/relationship/relationship--bc1e1980-8acf-4505-8142-d382d83421d4.json +++ b/ics-attack/relationship/relationship--76cf41a1-f340-401c-b640-bf7fe5143f56.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--471796b5-afea-464c-b11a-2271733b1586", + "id": "bundle--dc6ad0b9-1ce2-4ccb-abf9-fc44a4b77efb", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--bc1e1980-8acf-4505-8142-d382d83421d4", + "id": "relationship--76cf41a1-f340-401c-b640-bf7fe5143f56", "created": "2025-09-29T19:47:36.964Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -14,7 +14,7 @@ ], "modified": "2025-09-29T19:47:36.964Z", "relationship_type": "targets", - "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "source_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, diff --git a/ics-attack/relationship/relationship--77566f94-5e26-41c9-892f-2f62b395afe7.json b/ics-attack/relationship/relationship--77566f94-5e26-41c9-892f-2f62b395afe7.json index d17202a593..bda94984e3 100644 --- a/ics-attack/relationship/relationship--77566f94-5e26-41c9-892f-2f62b395afe7.json +++ b/ics-attack/relationship/relationship--77566f94-5e26-41c9-892f-2f62b395afe7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ec57feb6-6396-4b07-9817-965e62405d91", + "id": "bundle--f1626f45-50c0-4850-b55a-6317cc2a7268", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--77566f94-5e26-41c9-892f-2f62b395afe7", "created": "2023-09-28T20:01:43.057Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:10.076Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--779d3d69-f079-4bee-b7ac-3d5164b9ec6d.json b/ics-attack/relationship/relationship--779d3d69-f079-4bee-b7ac-3d5164b9ec6d.json new file mode 100644 index 0000000000..0fc985563c --- /dev/null +++ b/ics-attack/relationship/relationship--779d3d69-f079-4bee-b7ac-3d5164b9ec6d.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--1c84984a-979d-49a6-9860-ad348296723c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--779d3d69-f079-4bee-b7ac-3d5164b9ec6d", + "created": "2026-04-22T20:23:55.959Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:23:55.959Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--77f3a64d-227d-487f-8484-89007e05b59f.json b/ics-attack/relationship/relationship--77f3a64d-227d-487f-8484-89007e05b59f.json index e4afe70c40..525cbc5dc5 100644 --- a/ics-attack/relationship/relationship--77f3a64d-227d-487f-8484-89007e05b59f.json +++ b/ics-attack/relationship/relationship--77f3a64d-227d-487f-8484-89007e05b59f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1d266b25-0f7f-48ba-9602-6a17004dee91", + "id": "bundle--e1cbc5b7-0819-4ff7-89fd-7c9d982a7715", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--77f3a64d-227d-487f-8484-89007e05b59f", "created": "2023-09-28T21:16:14.153Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:10.528Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--78881a3d-59ad-4fbb-8bd2-69388a068584.json b/ics-attack/relationship/relationship--78881a3d-59ad-4fbb-8bd2-69388a068584.json index ccc35fb8a8..af9a214450 100644 --- a/ics-attack/relationship/relationship--78881a3d-59ad-4fbb-8bd2-69388a068584.json +++ b/ics-attack/relationship/relationship--78881a3d-59ad-4fbb-8bd2-69388a068584.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--40c97b66-9e30-4d63-b17b-da6a2b4896ee", + "id": "bundle--ddf9b380-04cd-47f4-a45c-74262788e07b", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--78881a3d-59ad-4fbb-8bd2-69388a068584", "created": "2023-09-29T18:01:45.518Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:10.749Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--792324b4-064a-430c-8ffc-7f7acd537778.json b/ics-attack/relationship/relationship--792324b4-064a-430c-8ffc-7f7acd537778.json index 7318c07bb3..7200721f59 100644 --- a/ics-attack/relationship/relationship--792324b4-064a-430c-8ffc-7f7acd537778.json +++ b/ics-attack/relationship/relationship--792324b4-064a-430c-8ffc-7f7acd537778.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dbdffa92-6031-42bc-b2cf-30d26c5b83a5", + "id": "bundle--1d6bd284-1751-42e4-9a32-2b66889d1911", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--792324b4-064a-430c-8ffc-7f7acd537778", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Symantec", diff --git a/ics-attack/relationship/relationship--79235599-e23f-43cb-9c56-1eb22b7c4664.json b/ics-attack/relationship/relationship--79235599-e23f-43cb-9c56-1eb22b7c4664.json index 2d4da8d5d7..2b9b0b14bb 100644 --- a/ics-attack/relationship/relationship--79235599-e23f-43cb-9c56-1eb22b7c4664.json +++ b/ics-attack/relationship/relationship--79235599-e23f-43cb-9c56-1eb22b7c4664.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7ad4377b-7570-43ad-a7ad-ceb9d5e26167", + "id": "bundle--9206fc4a-96c2-4ecb-890c-b561277b2b60", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--79235599-e23f-43cb-9c56-1eb22b7c4664", "created": "2023-09-29T16:38:38.201Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:11.899Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--79259f05-a677-4512-bb57-8c3137d303ba.json b/ics-attack/relationship/relationship--79259f05-a677-4512-bb57-8c3137d303ba.json new file mode 100644 index 0000000000..1346f9d18e --- /dev/null +++ b/ics-attack/relationship/relationship--79259f05-a677-4512-bb57-8c3137d303ba.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--5f1e4266-c9bd-4f8b-ad3f-0d5608b47421", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--79259f05-a677-4512-bb57-8c3137d303ba", + "created": "2026-04-22T21:41:30.908Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:41:30.908Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--bb553fda-8355-40bc-87c6-5ae25124fa95", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--79324bdd-cdab-4d0a-af60-af1047c1d117.json b/ics-attack/relationship/relationship--79324bdd-cdab-4d0a-af60-af1047c1d117.json index 4cbbe3cd17..567834b634 100644 --- a/ics-attack/relationship/relationship--79324bdd-cdab-4d0a-af60-af1047c1d117.json +++ b/ics-attack/relationship/relationship--79324bdd-cdab-4d0a-af60-af1047c1d117.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--40c9bb74-699a-4054-ab42-3b38ff7e367f", + "id": "bundle--de23df90-c67a-4583-9304-1ab5a2215d7d", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--79324bdd-cdab-4d0a-af60-af1047c1d117", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--79407d1e-8e16-48c1-939c-ad92f91dd988.json b/ics-attack/relationship/relationship--79407d1e-8e16-48c1-939c-ad92f91dd988.json index 6199652d09..264b91b856 100644 --- a/ics-attack/relationship/relationship--79407d1e-8e16-48c1-939c-ad92f91dd988.json +++ b/ics-attack/relationship/relationship--79407d1e-8e16-48c1-939c-ad92f91dd988.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e79e589a-f443-43ba-abce-c58330cbb430", + "id": "bundle--fa76f604-cf4a-41cc-9fe3-9c961b297127", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--79407d1e-8e16-48c1-939c-ad92f91dd988", "created": "2023-09-29T16:30:19.141Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:12.327Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--817ae105-3ddf-4766-9d26-ca1ec3c64eb6.json b/ics-attack/relationship/relationship--79516dd8-72de-4372-bfce-b7f4a98b98d7.json similarity index 71% rename from ics-attack/relationship/relationship--817ae105-3ddf-4766-9d26-ca1ec3c64eb6.json rename to ics-attack/relationship/relationship--79516dd8-72de-4372-bfce-b7f4a98b98d7.json index da9a8e9b84..f905ccd360 100644 --- a/ics-attack/relationship/relationship--817ae105-3ddf-4766-9d26-ca1ec3c64eb6.json +++ b/ics-attack/relationship/relationship--79516dd8-72de-4372-bfce-b7f4a98b98d7.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--d0645c00-092d-46ab-88ff-95c58cf2fd83", + "id": "bundle--0e5bf178-bad3-4904-8bf7-950d1043bf90", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--817ae105-3ddf-4766-9d26-ca1ec3c64eb6", + "id": "relationship--79516dd8-72de-4372-bfce-b7f4a98b98d7", "created": "2023-09-28T20:11:42.579Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:24.426Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "source_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--798919d3-df8b-463f-b2be-4c1aa8089384.json b/ics-attack/relationship/relationship--798919d3-df8b-463f-b2be-4c1aa8089384.json index ab209186e1..034ff45eb9 100644 --- a/ics-attack/relationship/relationship--798919d3-df8b-463f-b2be-4c1aa8089384.json +++ b/ics-attack/relationship/relationship--798919d3-df8b-463f-b2be-4c1aa8089384.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0af0d23a-60dd-4e14-931e-58e7ffff16e1", + "id": "bundle--9492ca05-a392-48fd-8345-7bbb43fd7413", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--798de2f3-218b-4622-a62c-84e3840d45a6.json b/ics-attack/relationship/relationship--798de2f3-218b-4622-a62c-84e3840d45a6.json index 92bf56a159..53d876cdc7 100644 --- a/ics-attack/relationship/relationship--798de2f3-218b-4622-a62c-84e3840d45a6.json +++ b/ics-attack/relationship/relationship--798de2f3-218b-4622-a62c-84e3840d45a6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--613606cd-d8dc-4349-8893-6628d64f5ace", + "id": "bundle--8f9c56ee-2edd-4ceb-98fa-ed668e455763", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--798de2f3-218b-4622-a62c-84e3840d45a6", "created": "2023-09-29T18:00:10.845Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:12.762Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--799951e5-ab80-4b13-a136-7fbcab4e19af.json b/ics-attack/relationship/relationship--799951e5-ab80-4b13-a136-7fbcab4e19af.json new file mode 100644 index 0000000000..ffeeb89dfa --- /dev/null +++ b/ics-attack/relationship/relationship--799951e5-ab80-4b13-a136-7fbcab4e19af.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--ab028f5b-cdc9-4330-b882-94517c5eca80", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--799951e5-ab80-4b13-a136-7fbcab4e19af", + "created": "2026-04-22T22:47:57.090Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:47:57.090Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--79c6d710-baf4-411e-a3f5-9cb8d42b7c19.json b/ics-attack/relationship/relationship--79c6d710-baf4-411e-a3f5-9cb8d42b7c19.json index 6329dde4c1..bac9d0d967 100644 --- a/ics-attack/relationship/relationship--79c6d710-baf4-411e-a3f5-9cb8d42b7c19.json +++ b/ics-attack/relationship/relationship--79c6d710-baf4-411e-a3f5-9cb8d42b7c19.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d59c64cf-21cd-4763-8441-0f1a303e2fad", + "id": "bundle--1bbf7817-30ae-45c3-a3d2-4bbada3bc872", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--79c6d710-baf4-411e-a3f5-9cb8d42b7c19", "created": "2023-09-29T16:32:22.510Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:12.990Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--79d05cb2-ded0-4847-b52e-af7af421f303.json b/ics-attack/relationship/relationship--79d05cb2-ded0-4847-b52e-af7af421f303.json index 718c77b4ae..1a715b370e 100644 --- a/ics-attack/relationship/relationship--79d05cb2-ded0-4847-b52e-af7af421f303.json +++ b/ics-attack/relationship/relationship--79d05cb2-ded0-4847-b52e-af7af421f303.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--33b6932f-2a43-487e-a7ac-62f76b2d78c3", + "id": "bundle--8287efec-6c74-4538-a36c-ee6c03a2145b", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--79d05cb2-ded0-4847-b52e-af7af421f303", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Kevin Savage and Branko Spasojevic", diff --git a/ics-attack/relationship/relationship--7a29d34a-08fd-4aeb-8968-22856ad7429a.json b/ics-attack/relationship/relationship--7a29d34a-08fd-4aeb-8968-22856ad7429a.json new file mode 100644 index 0000000000..1a165625c2 --- /dev/null +++ b/ics-attack/relationship/relationship--7a29d34a-08fd-4aeb-8968-22856ad7429a.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--811ff78b-2bea-4f54-b68e-09b04354527c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--7a29d34a-08fd-4aeb-8968-22856ad7429a", + "created": "2026-04-22T22:31:56.959Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:31:56.959Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--beafc44c-228f-4a7e-9d92-ac1b16d730e2.json b/ics-attack/relationship/relationship--7a3fbac8-c666-4564-b02a-ea199bbcb2a5.json similarity index 71% rename from ics-attack/relationship/relationship--beafc44c-228f-4a7e-9d92-ac1b16d730e2.json rename to ics-attack/relationship/relationship--7a3fbac8-c666-4564-b02a-ea199bbcb2a5.json index 3f56d18797..3e761ada80 100644 --- a/ics-attack/relationship/relationship--beafc44c-228f-4a7e-9d92-ac1b16d730e2.json +++ b/ics-attack/relationship/relationship--7a3fbac8-c666-4564-b02a-ea199bbcb2a5.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--08c1b1a5-b97c-4793-b8e4-2665230b7804", + "id": "bundle--34423f3a-44c1-4b1d-ae70-de1db2ed49cc", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--beafc44c-228f-4a7e-9d92-ac1b16d730e2", + "id": "relationship--7a3fbac8-c666-4564-b02a-ea199bbcb2a5", "created": "2023-09-28T20:31:17.116Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:29.670Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "source_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--7a55fc66-0d5c-4ef6-af28-d4a4bb84381d.json b/ics-attack/relationship/relationship--7a55fc66-0d5c-4ef6-af28-d4a4bb84381d.json index 57fc0328df..bc565eb781 100644 --- a/ics-attack/relationship/relationship--7a55fc66-0d5c-4ef6-af28-d4a4bb84381d.json +++ b/ics-attack/relationship/relationship--7a55fc66-0d5c-4ef6-af28-d4a4bb84381d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1759d284-03cf-490f-88ec-4bb404f0f580", + "id": "bundle--11d994fc-d71a-467e-909b-0c067d0fcd33", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--7a55fc66-0d5c-4ef6-af28-d4a4bb84381d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Hydro", diff --git a/ics-attack/relationship/relationship--e6af4cbd-1b2e-4733-be57-43a845f465eb.json b/ics-attack/relationship/relationship--7ad4a725-8eb7-45b3-bfd7-f9bd29cc5970.json similarity index 71% rename from ics-attack/relationship/relationship--e6af4cbd-1b2e-4733-be57-43a845f465eb.json rename to ics-attack/relationship/relationship--7ad4a725-8eb7-45b3-bfd7-f9bd29cc5970.json index 5bdedbf0f6..5f442ce56b 100644 --- a/ics-attack/relationship/relationship--e6af4cbd-1b2e-4733-be57-43a845f465eb.json +++ b/ics-attack/relationship/relationship--7ad4a725-8eb7-45b3-bfd7-f9bd29cc5970.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--00529e96-6c49-497f-99d7-5fe72253717a", + "id": "bundle--b9f57d34-9232-485a-879f-2a4282056bda", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--e6af4cbd-1b2e-4733-be57-43a845f465eb", + "id": "relationship--7ad4a725-8eb7-45b3-bfd7-f9bd29cc5970", "created": "2023-09-28T20:30:32.778Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:12.007Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "source_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--7b1e00af-11fb-4862-a193-55dc9b6652c0.json b/ics-attack/relationship/relationship--7b1e00af-11fb-4862-a193-55dc9b6652c0.json index 7c52de2f69..d09f80c409 100644 --- a/ics-attack/relationship/relationship--7b1e00af-11fb-4862-a193-55dc9b6652c0.json +++ b/ics-attack/relationship/relationship--7b1e00af-11fb-4862-a193-55dc9b6652c0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a36ace6e-363b-4beb-a7d1-b7ad7befe41c", + "id": "bundle--d6d3b8d7-7da8-4bf6-ad54-6c014027f096", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--7b1e00af-11fb-4862-a193-55dc9b6652c0", "created": "2023-09-29T16:33:23.456Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:14.317Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--7b814e39-71fc-4e99-b46f-b24eca6cc780.json b/ics-attack/relationship/relationship--7b814e39-71fc-4e99-b46f-b24eca6cc780.json index 61ac5a87eb..1df05930ab 100644 --- a/ics-attack/relationship/relationship--7b814e39-71fc-4e99-b46f-b24eca6cc780.json +++ b/ics-attack/relationship/relationship--7b814e39-71fc-4e99-b46f-b24eca6cc780.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--22859248-5c62-4ce2-8dc2-ba23036d49da", + "id": "bundle--a40fc919-fc35-4854-8214-ffe0f375afd0", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--7b814e39-71fc-4e99-b46f-b24eca6cc780", "created": "2023-09-28T19:45:42.727Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:14.536Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--7b8f6d2b-3091-4b0f-9987-88cd344007a1.json b/ics-attack/relationship/relationship--7b8f6d2b-3091-4b0f-9987-88cd344007a1.json index e1def3f274..36d379e58b 100644 --- a/ics-attack/relationship/relationship--7b8f6d2b-3091-4b0f-9987-88cd344007a1.json +++ b/ics-attack/relationship/relationship--7b8f6d2b-3091-4b0f-9987-88cd344007a1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b2ab2182-c795-411c-8743-7c6e22cb5700", + "id": "bundle--444b7a34-d1b1-4006-9757-22362ad840ea", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--f4f3b9a6-2de0-45a5-8936-2ad9288191b9", "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", diff --git a/ics-attack/relationship/relationship--7b95b2aa-9561-494f-8e02-d36edc14e38b.json b/ics-attack/relationship/relationship--7b95b2aa-9561-494f-8e02-d36edc14e38b.json index be45122b6a..d8410095e0 100644 --- a/ics-attack/relationship/relationship--7b95b2aa-9561-494f-8e02-d36edc14e38b.json +++ b/ics-attack/relationship/relationship--7b95b2aa-9561-494f-8e02-d36edc14e38b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d030e644-abab-4b69-b739-edd2fbde8032", + "id": "bundle--07750e03-a22d-4416-b02c-b098744011ad", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--7b95b2aa-9561-494f-8e02-d36edc14e38b", "created": "2023-09-29T17:39:54.089Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:14.746Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--7bb1dbec-7314-479a-9496-86f8e25041eb.json b/ics-attack/relationship/relationship--7bb1dbec-7314-479a-9496-86f8e25041eb.json index 4b5f2f1909..403ee59600 100644 --- a/ics-attack/relationship/relationship--7bb1dbec-7314-479a-9496-86f8e25041eb.json +++ b/ics-attack/relationship/relationship--7bb1dbec-7314-479a-9496-86f8e25041eb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b6974b34-a6c0-4a26-a846-6ff0868ba5c3", + "id": "bundle--eae7eaf5-3db8-46d1-bfee-601231445cba", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--7bb1dbec-7314-479a-9496-86f8e25041eb", "created": "2023-09-29T16:40:43.415Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:14.965Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--7bbe6ac7-d0fb-40e4-8537-bdded7173f07.json b/ics-attack/relationship/relationship--7bbe6ac7-d0fb-40e4-8537-bdded7173f07.json index 2e0d359f19..e479bdd13b 100644 --- a/ics-attack/relationship/relationship--7bbe6ac7-d0fb-40e4-8537-bdded7173f07.json +++ b/ics-attack/relationship/relationship--7bbe6ac7-d0fb-40e4-8537-bdded7173f07.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fcf81973-dca1-41e1-9fc6-9c3c5955cde2", + "id": "bundle--4ded4baf-911c-48ab-83e3-9a696a1d1fcd", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--7bbe6ac7-d0fb-40e4-8537-bdded7173f07", "created": "2023-09-29T18:49:01.768Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:15.169Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--7bd46875-7d59-4d65-8f9b-d48d3cb54a84.json b/ics-attack/relationship/relationship--7bd46875-7d59-4d65-8f9b-d48d3cb54a84.json index 9e830294fa..4f2169cb66 100644 --- a/ics-attack/relationship/relationship--7bd46875-7d59-4d65-8f9b-d48d3cb54a84.json +++ b/ics-attack/relationship/relationship--7bd46875-7d59-4d65-8f9b-d48d3cb54a84.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--73c713b4-9b10-4760-8035-9fd68a833441", + "id": "bundle--51f64e62-b72e-4652-be31-f9775e764a1f", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--7bd46875-7d59-4d65-8f9b-d48d3cb54a84", "created": "2023-09-28T20:07:15.553Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:15.437Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--7bd6e5e4-6614-41ed-8a84-8eb633a91e07.json b/ics-attack/relationship/relationship--7bd6e5e4-6614-41ed-8a84-8eb633a91e07.json index a8895b38a3..17c06d7146 100644 --- a/ics-attack/relationship/relationship--7bd6e5e4-6614-41ed-8a84-8eb633a91e07.json +++ b/ics-attack/relationship/relationship--7bd6e5e4-6614-41ed-8a84-8eb633a91e07.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f78de5cb-4cc5-48c2-9ef1-77f198304c39", + "id": "bundle--73de99a0-6a95-42cb-bf9a-3ae20290f5a9", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--7bd6e5e4-6614-41ed-8a84-8eb633a91e07", "created": "2023-03-31T17:45:32.860Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos Crashoverride 2018", diff --git a/ics-attack/relationship/relationship--7be2d11d-87be-4d1c-8f5b-b7e59ad191ea.json b/ics-attack/relationship/relationship--7be2d11d-87be-4d1c-8f5b-b7e59ad191ea.json index 20f7eeed4b..847b22eaa0 100644 --- a/ics-attack/relationship/relationship--7be2d11d-87be-4d1c-8f5b-b7e59ad191ea.json +++ b/ics-attack/relationship/relationship--7be2d11d-87be-4d1c-8f5b-b7e59ad191ea.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8ff875da-c469-4613-bec0-136c95843a08", + "id": "bundle--be53ce85-21d1-47ed-8619-71e47b783ab2", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--7be2d11d-87be-4d1c-8f5b-b7e59ad191ea", "created": "2023-09-28T20:07:01.309Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:15.875Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--7bfaf0ff-6d88-460f-aa32-3fb0267b4f20.json b/ics-attack/relationship/relationship--7bfaf0ff-6d88-460f-aa32-3fb0267b4f20.json index 81c079c7c9..f46ecf4d7d 100644 --- a/ics-attack/relationship/relationship--7bfaf0ff-6d88-460f-aa32-3fb0267b4f20.json +++ b/ics-attack/relationship/relationship--7bfaf0ff-6d88-460f-aa32-3fb0267b4f20.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1e71ac56-8bcf-4dc1-8a21-f159e3df8057", + "id": "bundle--cdd22186-83de-44a9-b8ae-bd81d9062022", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7c1eee62-3307-4e25-8a20-919ccd56ec1c.json b/ics-attack/relationship/relationship--7c1eee62-3307-4e25-8a20-919ccd56ec1c.json index 7c214baa1f..0c5d29c727 100644 --- a/ics-attack/relationship/relationship--7c1eee62-3307-4e25-8a20-919ccd56ec1c.json +++ b/ics-attack/relationship/relationship--7c1eee62-3307-4e25-8a20-919ccd56ec1c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2cf1d731-bbed-4d2d-be4c-669248bec5b2", + "id": "bundle--a7887aaf-3f10-4869-9548-e126606397f3", "spec_version": "2.0", "objects": [ { @@ -24,14 +24,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:03:16.338Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the CODESYS protocol to download programs to Schneider PLCs.(Citation: Wylie-22)(Citation: Brubaker-Incontroller) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can modified program logic on Omron PLCs using either the program download or backup transfer functions available through the HTTP server.(Citation: Wylie-22) ", + "modified": "2026-04-23T18:48:16.102Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) has used the CODESYS protocol to download programs to Schneider PLCs.(Citation: Wylie-22)(Citation: Brubaker-Incontroller) [INCONTROLLER](https://attack.mitre.org/software/S1045) has also modified program logic on Omron PLCs using either the program download or backup transfer functions available through the HTTP server.(Citation: Wylie-22) ", "relationship_type": "uses", "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--7c2edd6c-5189-4ba9-af3d-bdaff4a699ca.json b/ics-attack/relationship/relationship--7c2edd6c-5189-4ba9-af3d-bdaff4a699ca.json index 7bb4b35dcf..1efc0c2f0a 100644 --- a/ics-attack/relationship/relationship--7c2edd6c-5189-4ba9-af3d-bdaff4a699ca.json +++ b/ics-attack/relationship/relationship--7c2edd6c-5189-4ba9-af3d-bdaff4a699ca.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0212ad1f-84b9-4c43-b321-4ef2736e41ed", + "id": "bundle--60350b4e-ca10-48c8-bded-e54f997c39d6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7c3b65e8-e8b7-4c3b-b27b-e216986d8976.json b/ics-attack/relationship/relationship--7c3b65e8-e8b7-4c3b-b27b-e216986d8976.json index f593c15f52..6cb1b06122 100644 --- a/ics-attack/relationship/relationship--7c3b65e8-e8b7-4c3b-b27b-e216986d8976.json +++ b/ics-attack/relationship/relationship--7c3b65e8-e8b7-4c3b-b27b-e216986d8976.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d6bde4c2-bc3f-4e31-8120-8030dd96232c", + "id": "bundle--01815b90-b3c2-4e9e-aae5-e57ec927539b", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--7c3b65e8-e8b7-4c3b-b27b-e216986d8976", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", diff --git a/ics-attack/relationship/relationship--7c433b29-0ad3-4574-990f-e3d6291e7f23.json b/ics-attack/relationship/relationship--7c433b29-0ad3-4574-990f-e3d6291e7f23.json index 0c70edbfe7..1d3c556051 100644 --- a/ics-attack/relationship/relationship--7c433b29-0ad3-4574-990f-e3d6291e7f23.json +++ b/ics-attack/relationship/relationship--7c433b29-0ad3-4574-990f-e3d6291e7f23.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--174c8352-6f61-48fb-abee-580295967595", + "id": "bundle--d2cbeb22-3cf9-4372-8241-d4872b288372", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--7c433b29-0ad3-4574-990f-e3d6291e7f23", "created": "2023-09-29T18:48:29.126Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:17.412Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--8a604466-8437-4fe6-b6db-ec8fb05d702a.json b/ics-attack/relationship/relationship--7c7777a0-f96a-414c-b294-e9f0744bf8b8.json similarity index 85% rename from ics-attack/relationship/relationship--8a604466-8437-4fe6-b6db-ec8fb05d702a.json rename to ics-attack/relationship/relationship--7c7777a0-f96a-414c-b294-e9f0744bf8b8.json index f0e868082b..93e493f169 100644 --- a/ics-attack/relationship/relationship--8a604466-8437-4fe6-b6db-ec8fb05d702a.json +++ b/ics-attack/relationship/relationship--7c7777a0-f96a-414c-b294-e9f0744bf8b8.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--69067aca-13e6-4cbb-afcc-13de869091d5", + "id": "bundle--c26b3c57-2296-4f47-bfb2-a6dc0f883dad", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--8a604466-8437-4fe6-b6db-ec8fb05d702a", + "id": "relationship--7c7777a0-f96a-414c-b294-e9f0744bf8b8", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -23,10 +23,10 @@ "description": "In [Industroyer](https://attack.mitre.org/software/S0604) the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. (Citation: Anton Cherepanov, ESET June 2017)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--7c893581-c847-495a-aa93-9d98c516e1ae.json b/ics-attack/relationship/relationship--7c893581-c847-495a-aa93-9d98c516e1ae.json index abe80fd8ac..bac9fb0bf1 100644 --- a/ics-attack/relationship/relationship--7c893581-c847-495a-aa93-9d98c516e1ae.json +++ b/ics-attack/relationship/relationship--7c893581-c847-495a-aa93-9d98c516e1ae.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1537c5df-6bd2-4935-bf5e-aa70ad55e28c", + "id": "bundle--9b05ad02-eff5-4565-a517-e4b12208c7cc", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--7c893581-c847-495a-aa93-9d98c516e1ae", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", diff --git a/ics-attack/relationship/relationship--7cfaea56-6125-4aad-a491-ce2f54a88c24.json b/ics-attack/relationship/relationship--7cfaea56-6125-4aad-a491-ce2f54a88c24.json new file mode 100644 index 0000000000..1ee20ec55e --- /dev/null +++ b/ics-attack/relationship/relationship--7cfaea56-6125-4aad-a491-ce2f54a88c24.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--2e507918-cad7-41f6-9f2c-8283f760b3c2", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--7cfaea56-6125-4aad-a491-ce2f54a88c24", + "created": "2026-04-22T20:42:02.295Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:42:02.295Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--bb553fda-8355-40bc-87c6-5ae25124fa95", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--7d42ba22-9595-4463-8dda-c0e47a154fed.json b/ics-attack/relationship/relationship--7d42ba22-9595-4463-8dda-c0e47a154fed.json index 1753e2de81..e10ea5c3f6 100644 --- a/ics-attack/relationship/relationship--7d42ba22-9595-4463-8dda-c0e47a154fed.json +++ b/ics-attack/relationship/relationship--7d42ba22-9595-4463-8dda-c0e47a154fed.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8287224f-07e5-4c00-9bc2-04e7a6764cd2", + "id": "bundle--f737c00e-fcb2-4a4e-85e1-0da049278905", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--7d42ba22-9595-4463-8dda-c0e47a154fed", "created": "2023-09-28T20:07:48.301Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:18.952Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--7d5759cd-890e-4ec5-b92b-aba225d52960.json b/ics-attack/relationship/relationship--7d5759cd-890e-4ec5-b92b-aba225d52960.json index 350ffb220d..dc708a99a5 100644 --- a/ics-attack/relationship/relationship--7d5759cd-890e-4ec5-b92b-aba225d52960.json +++ b/ics-attack/relationship/relationship--7d5759cd-890e-4ec5-b92b-aba225d52960.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b7f68930-ed39-4177-bc80-f506a0971033", + "id": "bundle--1ad598a3-44e5-4efd-9762-20518ffe874e", "spec_version": "2.0", "objects": [ { @@ -8,18 +8,17 @@ "id": "relationship--7d5759cd-890e-4ec5-b92b-aba225d52960", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:03:19.166Z", - "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", + "modified": "2025-12-24T17:47:36.339Z", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--7d752615-33f0-44ed-a156-25d84f384e75.json b/ics-attack/relationship/relationship--7d752615-33f0-44ed-a156-25d84f384e75.json index 4231bb9cae..b295eea464 100644 --- a/ics-attack/relationship/relationship--7d752615-33f0-44ed-a156-25d84f384e75.json +++ b/ics-attack/relationship/relationship--7d752615-33f0-44ed-a156-25d84f384e75.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--015edbca-ebaa-4543-84ed-c738928f9924", + "id": "bundle--935015d0-e6ab-430f-ba69-ba90375838ee", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--7d752615-33f0-44ed-a156-25d84f384e75", "created": "2023-09-27T14:57:11.627Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Ukraine15 - EISAC - 201603", diff --git a/ics-attack/relationship/relationship--7db9687b-7099-4cb6-a040-bc32fc549a81.json b/ics-attack/relationship/relationship--7db9687b-7099-4cb6-a040-bc32fc549a81.json index e184ca1ffe..cbd6f59448 100644 --- a/ics-attack/relationship/relationship--7db9687b-7099-4cb6-a040-bc32fc549a81.json +++ b/ics-attack/relationship/relationship--7db9687b-7099-4cb6-a040-bc32fc549a81.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7d201ac4-a054-4a60-8e16-0442bdb27720", + "id": "bundle--c6778a33-98e5-436e-9091-228e5d46e4d3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7dd11d5e-1c1c-4f94-b4bf-4fd59988539b.json b/ics-attack/relationship/relationship--7dd11d5e-1c1c-4f94-b4bf-4fd59988539b.json index c54880808f..bafadd371e 100644 --- a/ics-attack/relationship/relationship--7dd11d5e-1c1c-4f94-b4bf-4fd59988539b.json +++ b/ics-attack/relationship/relationship--7dd11d5e-1c1c-4f94-b4bf-4fd59988539b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--898458c2-e98d-4bf4-8034-c057d40f7c22", + "id": "bundle--335768ac-8841-46a9-a369-454f425d7aa4", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--7dd11d5e-1c1c-4f94-b4bf-4fd59988539b", "created": "2024-04-09T20:53:54.209Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:20.498Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--0d617f2e-5c61-419b-9573-35d63fe1df1c.json b/ics-attack/relationship/relationship--7de5de32-6f37-4419-97b8-77eb9d69be40.json similarity index 78% rename from ics-attack/relationship/relationship--0d617f2e-5c61-419b-9573-35d63fe1df1c.json rename to ics-attack/relationship/relationship--7de5de32-6f37-4419-97b8-77eb9d69be40.json index fd3c57f50d..f5eb8461f0 100644 --- a/ics-attack/relationship/relationship--0d617f2e-5c61-419b-9573-35d63fe1df1c.json +++ b/ics-attack/relationship/relationship--7de5de32-6f37-4419-97b8-77eb9d69be40.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--1d226c91-c9e1-4efd-80fa-ddb00412b599", + "id": "bundle--3202571a-b1a1-4115-a499-041fa9aef7ff", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--0d617f2e-5c61-419b-9573-35d63fe1df1c", + "id": "relationship--7de5de32-6f37-4419-97b8-77eb9d69be40", "created": "2025-09-29T19:02:59.197Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -14,7 +14,7 @@ ], "modified": "2025-09-29T19:02:59.197Z", "relationship_type": "targets", - "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, diff --git a/ics-attack/relationship/relationship--7dedeb73-ef90-4282-a635-cc37326773af.json b/ics-attack/relationship/relationship--7dedeb73-ef90-4282-a635-cc37326773af.json index accb355bc2..d243f81110 100644 --- a/ics-attack/relationship/relationship--7dedeb73-ef90-4282-a635-cc37326773af.json +++ b/ics-attack/relationship/relationship--7dedeb73-ef90-4282-a635-cc37326773af.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--22d35d64-db32-437f-84b1-f04158d77e87", + "id": "bundle--2a4efde3-d67f-4dc2-9546-e9767fe1d8a5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7e0531c4-fb87-4d66-9595-024a08a71598.json b/ics-attack/relationship/relationship--7e0531c4-fb87-4d66-9595-024a08a71598.json new file mode 100644 index 0000000000..6c3b744898 --- /dev/null +++ b/ics-attack/relationship/relationship--7e0531c4-fb87-4d66-9595-024a08a71598.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--6e7867db-33e5-4969-a736-f6c97a11a0f2", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--7e0531c4-fb87-4d66-9595-024a08a71598", + "created": "2026-04-20T20:54:20.734Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:20.734Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--7ebee5d3-ce7f-436c-8b4a-087363d6b858.json b/ics-attack/relationship/relationship--7ebee5d3-ce7f-436c-8b4a-087363d6b858.json index 878f7b05ea..f293fab1f3 100644 --- a/ics-attack/relationship/relationship--7ebee5d3-ce7f-436c-8b4a-087363d6b858.json +++ b/ics-attack/relationship/relationship--7ebee5d3-ce7f-436c-8b4a-087363d6b858.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0bd4a08f-8e48-4d45-b06e-dce603a42ab4", + "id": "bundle--61e4b8d8-0ab4-4d7a-b4de-271c2e6fe42c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--7ebee5d3-ce7f-436c-8b4a-087363d6b858", "created": "2023-09-29T16:32:46.335Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:21.134Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--7ed1ad67-942a-424e-ad81-8b69a4f0c706.json b/ics-attack/relationship/relationship--7ed1ad67-942a-424e-ad81-8b69a4f0c706.json index c64a170de5..3ef28e4455 100644 --- a/ics-attack/relationship/relationship--7ed1ad67-942a-424e-ad81-8b69a4f0c706.json +++ b/ics-attack/relationship/relationship--7ed1ad67-942a-424e-ad81-8b69a4f0c706.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9792afe9-40f6-4af6-97cc-5f2d39f5d856", + "id": "bundle--5d3777b0-8354-487d-9cfd-3cd24b3c2e8a", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--7ed1ad67-942a-424e-ad81-8b69a4f0c706", "created": "2023-09-28T20:28:16.122Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:21.376Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--7efa1a31-da21-4925-aab0-96a012d5b2a7.json b/ics-attack/relationship/relationship--7efa1a31-da21-4925-aab0-96a012d5b2a7.json index 0daf7cab87..9ea05fc5c7 100644 --- a/ics-attack/relationship/relationship--7efa1a31-da21-4925-aab0-96a012d5b2a7.json +++ b/ics-attack/relationship/relationship--7efa1a31-da21-4925-aab0-96a012d5b2a7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--19f20671-837d-48f2-b481-36eb0740819a", + "id": "bundle--809accf9-470b-4a7f-b4e7-835686cf9ee8", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--7efa1a31-da21-4925-aab0-96a012d5b2a7", "created": "2023-09-29T17:43:22.756Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:21.575Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--7f3ee61b-3ef1-41da-9853-6520a2ea942d.json b/ics-attack/relationship/relationship--7f3ee61b-3ef1-41da-9853-6520a2ea942d.json new file mode 100644 index 0000000000..e5d9c9421d --- /dev/null +++ b/ics-attack/relationship/relationship--7f3ee61b-3ef1-41da-9853-6520a2ea942d.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--fb5e98ac-6e9e-4927-bf38-7a92a5d69f37", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--7f3ee61b-3ef1-41da-9853-6520a2ea942d", + "created": "2026-04-22T22:52:08.690Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:52:08.690Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--7f520bef-d179-415a-b921-d30ff60d2284.json b/ics-attack/relationship/relationship--7f520bef-d179-415a-b921-d30ff60d2284.json index b5a89f26d2..95cfac30c9 100644 --- a/ics-attack/relationship/relationship--7f520bef-d179-415a-b921-d30ff60d2284.json +++ b/ics-attack/relationship/relationship--7f520bef-d179-415a-b921-d30ff60d2284.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eacdcca8-c71f-4067-b2fe-24ed94de37e1", + "id": "bundle--d5e302b9-7dd5-4f39-81ea-b54055bd906b", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--636329e6-32b9-4a71-acf8-ae6d01a6b4ef", "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", diff --git a/ics-attack/relationship/relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451.json b/ics-attack/relationship/relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451.json index f8c8268ca4..7e80b82f8c 100644 --- a/ics-attack/relationship/relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451.json +++ b/ics-attack/relationship/relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c60ee706-40db-42ee-b4d1-457fd3a41d92", + "id": "bundle--7b8f09a8-6e7b-4d29-ae40-1d8b8e9aa359", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7ff12adb-bc9a-42e5-9cbf-613b200c36dc.json b/ics-attack/relationship/relationship--7ff12adb-bc9a-42e5-9cbf-613b200c36dc.json index 54ebf2c087..35180ba45f 100644 --- a/ics-attack/relationship/relationship--7ff12adb-bc9a-42e5-9cbf-613b200c36dc.json +++ b/ics-attack/relationship/relationship--7ff12adb-bc9a-42e5-9cbf-613b200c36dc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f141e565-b604-48d9-803e-3840edc4270d", + "id": "bundle--faf983ba-0511-4992-8d29-17655496ed13", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--80250a66-dec0-4ef5-8a76-b3aa24fe5bc3.json b/ics-attack/relationship/relationship--80250a66-dec0-4ef5-8a76-b3aa24fe5bc3.json index b857a32bcb..0a32a5cd17 100644 --- a/ics-attack/relationship/relationship--80250a66-dec0-4ef5-8a76-b3aa24fe5bc3.json +++ b/ics-attack/relationship/relationship--80250a66-dec0-4ef5-8a76-b3aa24fe5bc3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--15c42921-e672-43a8-84f1-0f77fc4fb197", + "id": "bundle--f89e5ae1-e130-43af-a7dd-6d7dcfe3f642", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--80250a66-dec0-4ef5-8a76-b3aa24fe5bc3", "created": "2025-09-29T19:15:36.610Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--808174b7-3ab0-45b5-963e-5c10dd749e3c.json b/ics-attack/relationship/relationship--808174b7-3ab0-45b5-963e-5c10dd749e3c.json index e9127a1583..4a70cdb0c1 100644 --- a/ics-attack/relationship/relationship--808174b7-3ab0-45b5-963e-5c10dd749e3c.json +++ b/ics-attack/relationship/relationship--808174b7-3ab0-45b5-963e-5c10dd749e3c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--40fcb3db-e7f1-42a0-82ac-4f10426a1b53", + "id": "bundle--02842c97-b063-4924-a906-5fa20f0df458", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--808174b7-3ab0-45b5-963e-5c10dd749e3c", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--808c57e7-72ef-4860-b9ea-8ea072e2385a.json b/ics-attack/relationship/relationship--808c57e7-72ef-4860-b9ea-8ea072e2385a.json index 003ff09543..bf3f9c0d89 100644 --- a/ics-attack/relationship/relationship--808c57e7-72ef-4860-b9ea-8ea072e2385a.json +++ b/ics-attack/relationship/relationship--808c57e7-72ef-4860-b9ea-8ea072e2385a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9df7dc6a-8523-4bda-bf9a-c26c3be6ba60", + "id": "bundle--9d002c4f-c222-4f42-b8a9-fc8f5d43f088", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--80a69b56-337d-446a-8167-8b9f63083c4f.json b/ics-attack/relationship/relationship--80a69b56-337d-446a-8167-8b9f63083c4f.json index c723eecf41..413b0636ee 100644 --- a/ics-attack/relationship/relationship--80a69b56-337d-446a-8167-8b9f63083c4f.json +++ b/ics-attack/relationship/relationship--80a69b56-337d-446a-8167-8b9f63083c4f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2ad3e1ca-54ed-4906-a5cc-b2df4aef7333", + "id": "bundle--7c404ca7-8bfa-4821-8c74-a60ea8b5671a", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--80a69b56-337d-446a-8167-8b9f63083c4f", "created": "2022-09-28T21:24:21.810Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "CISA-AA22-103A", diff --git a/ics-attack/relationship/relationship--80cf98bd-b7dc-45cf-91a6-4ab6b79a7f0b.json b/ics-attack/relationship/relationship--80cf98bd-b7dc-45cf-91a6-4ab6b79a7f0b.json index a0d9c45c79..f8ee6b7636 100644 --- a/ics-attack/relationship/relationship--80cf98bd-b7dc-45cf-91a6-4ab6b79a7f0b.json +++ b/ics-attack/relationship/relationship--80cf98bd-b7dc-45cf-91a6-4ab6b79a7f0b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--572fa342-d2ed-4c90-993c-0a02445901a3", + "id": "bundle--414e6755-595b-41ae-8658-be6c9d723150", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--80cf98bd-b7dc-45cf-91a6-4ab6b79a7f0b", "created": "2024-03-25T20:17:49.585Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:23.570Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1.json b/ics-attack/relationship/relationship--80d77b53-6aa4-4703-946f-6c7f0748f823.json similarity index 77% rename from ics-attack/relationship/relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1.json rename to ics-attack/relationship/relationship--80d77b53-6aa4-4703-946f-6c7f0748f823.json index 504addbd65..ca1e27bfa1 100644 --- a/ics-attack/relationship/relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1.json +++ b/ics-attack/relationship/relationship--80d77b53-6aa4-4703-946f-6c7f0748f823.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--fced7a72-b153-42a4-9372-f9097c67c3a6", + "id": "bundle--bb44e337-3e6d-4bd7-a1f3-31e21e879ab0", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1", + "id": "relationship--80d77b53-6aa4-4703-946f-6c7f0748f823", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--81029694-8a6d-49f5-a053-ee2e29c086c7.json b/ics-attack/relationship/relationship--81029694-8a6d-49f5-a053-ee2e29c086c7.json new file mode 100644 index 0000000000..387d0a1472 --- /dev/null +++ b/ics-attack/relationship/relationship--81029694-8a6d-49f5-a053-ee2e29c086c7.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--b9699772-7db0-487a-8ab7-86f8d73df714", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--81029694-8a6d-49f5-a053-ee2e29c086c7", + "created": "2026-04-22T22:30:19.729Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:30:19.729Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--81055366-e78b-40e0-a799-4b536ba03db3.json b/ics-attack/relationship/relationship--81055366-e78b-40e0-a799-4b536ba03db3.json index 45f6b0da59..db4abd2aaf 100644 --- a/ics-attack/relationship/relationship--81055366-e78b-40e0-a799-4b536ba03db3.json +++ b/ics-attack/relationship/relationship--81055366-e78b-40e0-a799-4b536ba03db3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cf86dd35-09fc-432c-aa2e-c365c4bdb528", + "id": "bundle--01f9ab05-3cd0-4d5d-b6a8-a40f6b33f70b", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--81055366-e78b-40e0-a799-4b536ba03db3", "created": "2023-09-29T18:45:22.474Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:23.776Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--81806f43-c9aa-486e-8032-4e4665ba0d39.json b/ics-attack/relationship/relationship--81806f43-c9aa-486e-8032-4e4665ba0d39.json index bdf54a28c7..e7bb534a9f 100644 --- a/ics-attack/relationship/relationship--81806f43-c9aa-486e-8032-4e4665ba0d39.json +++ b/ics-attack/relationship/relationship--81806f43-c9aa-486e-8032-4e4665ba0d39.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3c1c73e2-d4df-453c-a71e-7e5baf1302ac", + "id": "bundle--9808168d-cca4-43ab-be7a-09e4d41f7b9b", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--81806f43-c9aa-486e-8032-4e4665ba0d39", "created": "2023-09-29T18:43:13.760Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:24.650Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--818ce9d0-8fc2-4a34-a062-f0e6995bdf32.json b/ics-attack/relationship/relationship--818ce9d0-8fc2-4a34-a062-f0e6995bdf32.json index 3af1fea397..c52c51d4f4 100644 --- a/ics-attack/relationship/relationship--818ce9d0-8fc2-4a34-a062-f0e6995bdf32.json +++ b/ics-attack/relationship/relationship--818ce9d0-8fc2-4a34-a062-f0e6995bdf32.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--21f7b87d-bcac-48d4-b5c6-b57c1bf4b9db", + "id": "bundle--c8a5754e-85e5-4dc2-88ba-38e4c5b5f4ae", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--818ce9d0-8fc2-4a34-a062-f0e6995bdf32", "created": "2023-09-28T21:13:00.330Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:24.878Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--81ca994a-b350-424d-8f39-a0b64aa76260.json b/ics-attack/relationship/relationship--81ca994a-b350-424d-8f39-a0b64aa76260.json index a725346946..5aaf2492b5 100644 --- a/ics-attack/relationship/relationship--81ca994a-b350-424d-8f39-a0b64aa76260.json +++ b/ics-attack/relationship/relationship--81ca994a-b350-424d-8f39-a0b64aa76260.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--90a03245-2522-40fd-a682-da5979146797", + "id": "bundle--b43b04f5-0d7a-4246-8480-d44b11a38c74", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--26e58427-a2bd-4e77-9939-16ef60a072e7.json b/ics-attack/relationship/relationship--81cd1138-ca48-4c06-8964-3fe007b3593a.json similarity index 58% rename from ics-attack/relationship/relationship--26e58427-a2bd-4e77-9939-16ef60a072e7.json rename to ics-attack/relationship/relationship--81cd1138-ca48-4c06-8964-3fe007b3593a.json index f2d942cc2b..e32938a48c 100644 --- a/ics-attack/relationship/relationship--26e58427-a2bd-4e77-9939-16ef60a072e7.json +++ b/ics-attack/relationship/relationship--81cd1138-ca48-4c06-8964-3fe007b3593a.json @@ -1,25 +1,25 @@ { "type": "bundle", - "id": "bundle--1561123a-3725-4ca7-9f9f-5fb4e69e01cb", + "id": "bundle--7e3c35a8-33b5-4a4a-b1f2-2f11579e6fb5", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--26e58427-a2bd-4e77-9939-16ef60a072e7", + "id": "relationship--81cd1138-ca48-4c06-8964-3fe007b3593a", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:01:37.528Z", - "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", + "modified": "2025-12-24T17:47:20.456Z", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a83e4676-2b9e-4b9d-bb21-f493f3ee3bbf.json b/ics-attack/relationship/relationship--81fd1ae0-e3ef-40b7-86d8-89c85fd86100.json similarity index 75% rename from ics-attack/relationship/relationship--a83e4676-2b9e-4b9d-bb21-f493f3ee3bbf.json rename to ics-attack/relationship/relationship--81fd1ae0-e3ef-40b7-86d8-89c85fd86100.json index 1177f3a4ab..c4b1febb60 100644 --- a/ics-attack/relationship/relationship--a83e4676-2b9e-4b9d-bb21-f493f3ee3bbf.json +++ b/ics-attack/relationship/relationship--81fd1ae0-e3ef-40b7-86d8-89c85fd86100.json @@ -1,21 +1,21 @@ { "type": "bundle", - "id": "bundle--9d1b24b7-17c3-43c8-ac21-48631fb7eece", + "id": "bundle--398ade49-76be-47a3-be94-21230540eaca", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--a83e4676-2b9e-4b9d-bb21-f493f3ee3bbf", + "id": "relationship--81fd1ae0-e3ef-40b7-86d8-89c85fd86100", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--c0e6c96d-8605-407a-9bce-628e7853b07f", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "target_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" diff --git a/ics-attack/relationship/relationship--600f0115-94e3-49bf-afa6-0180b3367b94.json b/ics-attack/relationship/relationship--82810cd2-99e9-4ef6-b3fb-0a7a47d76661.json similarity index 71% rename from ics-attack/relationship/relationship--600f0115-94e3-49bf-afa6-0180b3367b94.json rename to ics-attack/relationship/relationship--82810cd2-99e9-4ef6-b3fb-0a7a47d76661.json index 70e9c847aa..0b1e42286e 100644 --- a/ics-attack/relationship/relationship--600f0115-94e3-49bf-afa6-0180b3367b94.json +++ b/ics-attack/relationship/relationship--82810cd2-99e9-4ef6-b3fb-0a7a47d76661.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--06a2ce9b-74c3-405e-b810-13daee6b7459", + "id": "bundle--7938fc71-8a06-46eb-ad4d-d732db493225", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--600f0115-94e3-49bf-afa6-0180b3367b94", + "id": "relationship--82810cd2-99e9-4ef6-b3fb-0a7a47d76661", "created": "2023-09-28T20:06:15.180Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:40.318Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--82b20c35-88c6-49aa-8241-a59512b17b74.json b/ics-attack/relationship/relationship--82b20c35-88c6-49aa-8241-a59512b17b74.json index 82f5775bb2..5aad0c4d10 100644 --- a/ics-attack/relationship/relationship--82b20c35-88c6-49aa-8241-a59512b17b74.json +++ b/ics-attack/relationship/relationship--82b20c35-88c6-49aa-8241-a59512b17b74.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dc66cb9d-033f-4c98-a697-66ab746c9ed9", + "id": "bundle--7f4c2c50-7b5c-4c55-bb7e-53425b21a141", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--82b20c35-88c6-49aa-8241-a59512b17b74", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", diff --git a/ics-attack/relationship/relationship--8315b50c-08b9-4a9b-b8cf-13bc4d97427f.json b/ics-attack/relationship/relationship--8315b50c-08b9-4a9b-b8cf-13bc4d97427f.json new file mode 100644 index 0000000000..4a87d96121 --- /dev/null +++ b/ics-attack/relationship/relationship--8315b50c-08b9-4a9b-b8cf-13bc4d97427f.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--d7941dd3-a541-4019-9190-02dcde66948e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--8315b50c-08b9-4a9b-b8cf-13bc4d97427f", + "created": "2026-04-22T19:58:17.858Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:20:11.148Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries executed PowerShell commands on the Human Machine Interface (HMI) to make configuration changes that enabled administrative shares and created a new firewall rule to enable traffic over port 445 as well as conducted network reconnaissance activities.(Citation: CERT Polska)\n\nDuring the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries executed PowerShell commands on the domain controller that collected and exfiltrated the SAM and SYSTEM registry hives and the Active Directory database (ntds.dit).(Citation: CERT Polska)\n\nDuring the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries logged into the Mikronika RTUs via SSH, with root privileges, and executed Linux commands to delete all the files on the system resulting in device failure.(Citation: CERT Polska)\n", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--834b1fa4-ee6d-43c7-9e07-1b6a47dee4a2.json b/ics-attack/relationship/relationship--834b1fa4-ee6d-43c7-9e07-1b6a47dee4a2.json new file mode 100644 index 0000000000..510d9cc876 --- /dev/null +++ b/ics-attack/relationship/relationship--834b1fa4-ee6d-43c7-9e07-1b6a47dee4a2.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--0ea4ebe8-fa6e-4201-aeb5-27a5c3dae61b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--834b1fa4-ee6d-43c7-9e07-1b6a47dee4a2", + "created": "2026-04-22T20:38:34.433Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:38:34.433Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--83a964cb-730c-44e4-859b-b5246159396b.json b/ics-attack/relationship/relationship--83a964cb-730c-44e4-859b-b5246159396b.json index c6d8d49cb6..2771357186 100644 --- a/ics-attack/relationship/relationship--83a964cb-730c-44e4-859b-b5246159396b.json +++ b/ics-attack/relationship/relationship--83a964cb-730c-44e4-859b-b5246159396b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f5c59d01-166d-4f14-91d3-ff1143209922", + "id": "bundle--ab1aa0db-32d1-4207-aeb8-99557236324e", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--83a964cb-730c-44e4-859b-b5246159396b", "created": "2023-09-29T17:59:43.275Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:25.998Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--83c29179-4805-403a-acf5-5151c4d2e556.json b/ics-attack/relationship/relationship--83c29179-4805-403a-acf5-5151c4d2e556.json index fba40ef810..7da2a20716 100644 --- a/ics-attack/relationship/relationship--83c29179-4805-403a-acf5-5151c4d2e556.json +++ b/ics-attack/relationship/relationship--83c29179-4805-403a-acf5-5151c4d2e556.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d65fb3df-9394-4b01-bb24-55e890261940", + "id": "bundle--29e829ed-a405-443b-bde1-a402554a5f80", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--83c29179-4805-403a-acf5-5151c4d2e556", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", diff --git a/ics-attack/relationship/relationship--83c8c216-7ff7-4bd3-9db4-573469628d95.json b/ics-attack/relationship/relationship--83c8c216-7ff7-4bd3-9db4-573469628d95.json index 8223f91f40..693cf2375f 100644 --- a/ics-attack/relationship/relationship--83c8c216-7ff7-4bd3-9db4-573469628d95.json +++ b/ics-attack/relationship/relationship--83c8c216-7ff7-4bd3-9db4-573469628d95.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--21901499-347f-44ed-b02e-36c3dc8b4648", + "id": "bundle--84041460-4bb2-432e-b396-e042016a80dc", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--83c8c216-7ff7-4bd3-9db4-573469628d95", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Joe Slowik August 2019", diff --git a/ics-attack/relationship/relationship--841ec349-0f4c-43fa-89b8-ef3656497fc9.json b/ics-attack/relationship/relationship--841ec349-0f4c-43fa-89b8-ef3656497fc9.json index 26cbdcf779..57fbf0f9f1 100644 --- a/ics-attack/relationship/relationship--841ec349-0f4c-43fa-89b8-ef3656497fc9.json +++ b/ics-attack/relationship/relationship--841ec349-0f4c-43fa-89b8-ef3656497fc9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c98d32b4-3752-469a-9e81-13e4394f6905", + "id": "bundle--e28b8597-80be-441c-bdfd-d6a5743102f1", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--841ec349-0f4c-43fa-89b8-ef3656497fc9", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", diff --git a/ics-attack/relationship/relationship--842a2b85-4e77-4eb6-99e1-c4a231aadf48.json b/ics-attack/relationship/relationship--842a2b85-4e77-4eb6-99e1-c4a231aadf48.json index dbddb6c902..53b427d328 100644 --- a/ics-attack/relationship/relationship--842a2b85-4e77-4eb6-99e1-c4a231aadf48.json +++ b/ics-attack/relationship/relationship--842a2b85-4e77-4eb6-99e1-c4a231aadf48.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e1c02265-222f-4a46-a7a1-7bbacb947131", + "id": "bundle--6e94c115-c656-4277-9f97-c112a97f1c37", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8465924f-8201-43c4-bd7c-961215f839d0.json b/ics-attack/relationship/relationship--8465924f-8201-43c4-bd7c-961215f839d0.json new file mode 100644 index 0000000000..125313f245 --- /dev/null +++ b/ics-attack/relationship/relationship--8465924f-8201-43c4-bd7c-961215f839d0.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--205bad79-9fe4-4824-8878-5960df24410e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--8465924f-8201-43c4-bd7c-961215f839d0", + "created": "2026-04-22T16:36:05.760Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:36:05.760Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--84671396-a556-4a5d-9bb9-cac697277371.json b/ics-attack/relationship/relationship--84671396-a556-4a5d-9bb9-cac697277371.json index 77b42b13a0..25fe894d0c 100644 --- a/ics-attack/relationship/relationship--84671396-a556-4a5d-9bb9-cac697277371.json +++ b/ics-attack/relationship/relationship--84671396-a556-4a5d-9bb9-cac697277371.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1d031e75-3a2b-45b5-a0f6-cfcc451775e2", + "id": "bundle--6f3016e8-ca20-4ec8-a13e-dcdce50272dc", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--84671396-a556-4a5d-9bb9-cac697277371", "created": "2023-09-29T16:31:12.255Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:27.313Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--8474e6ef-39c4-4ecc-ba5a-cbd9b32b5c65.json b/ics-attack/relationship/relationship--8474e6ef-39c4-4ecc-ba5a-cbd9b32b5c65.json index d3617e9f9f..53a79f2788 100644 --- a/ics-attack/relationship/relationship--8474e6ef-39c4-4ecc-ba5a-cbd9b32b5c65.json +++ b/ics-attack/relationship/relationship--8474e6ef-39c4-4ecc-ba5a-cbd9b32b5c65.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--25505961-f88f-43bc-9995-8250cccabcaa", + "id": "bundle--91cedfc3-cae3-4ba9-b05f-870a4bed2a70", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--8474e6ef-39c4-4ecc-ba5a-cbd9b32b5c65", "created": "2023-09-28T21:11:15.610Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:27.552Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--847962a8-3dfd-4b8c-81a8-dc8284766109.json b/ics-attack/relationship/relationship--847962a8-3dfd-4b8c-81a8-dc8284766109.json new file mode 100644 index 0000000000..dd02940d28 --- /dev/null +++ b/ics-attack/relationship/relationship--847962a8-3dfd-4b8c-81a8-dc8284766109.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--57643a4b-729d-4cf3-9eb1-d7e48be8d9ff", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--847962a8-3dfd-4b8c-81a8-dc8284766109", + "created": "2026-04-23T00:36:51.811Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:36:51.811Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--84b0a0f5-79e6-4e18-a7fe-0a0427911416.json b/ics-attack/relationship/relationship--84b0a0f5-79e6-4e18-a7fe-0a0427911416.json index eeb5918767..039ef3a102 100644 --- a/ics-attack/relationship/relationship--84b0a0f5-79e6-4e18-a7fe-0a0427911416.json +++ b/ics-attack/relationship/relationship--84b0a0f5-79e6-4e18-a7fe-0a0427911416.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--aa57f769-df27-4882-954c-7cfa31415a52", + "id": "bundle--ec6ce222-d160-488a-9a6d-b580dccaba97", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--84b0a0f5-79e6-4e18-a7fe-0a0427911416", "created": "2025-09-29T19:49:31.019Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--0951222a-42d1-4635-bb12-5285bc6500e0.json b/ics-attack/relationship/relationship--84d9ff92-234f-4b11-a350-fad07941ff3e.json similarity index 71% rename from ics-attack/relationship/relationship--0951222a-42d1-4635-bb12-5285bc6500e0.json rename to ics-attack/relationship/relationship--84d9ff92-234f-4b11-a350-fad07941ff3e.json index c1638a8e2b..6820fed84f 100644 --- a/ics-attack/relationship/relationship--0951222a-42d1-4635-bb12-5285bc6500e0.json +++ b/ics-attack/relationship/relationship--84d9ff92-234f-4b11-a350-fad07941ff3e.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--8f05d673-9ec7-4904-b6af-2d9f0ad57a0f", + "id": "bundle--12e86ba1-040e-44e3-abd3-bd5abbd16a29", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--0951222a-42d1-4635-bb12-5285bc6500e0", + "id": "relationship--84d9ff92-234f-4b11-a350-fad07941ff3e", "created": "2023-09-28T20:15:45.244Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:00:59.066Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "source_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--84fa50ff-bb84-4ab6-b759-658c57532c42.json b/ics-attack/relationship/relationship--84fa50ff-bb84-4ab6-b759-658c57532c42.json index d56885a698..45af85af04 100644 --- a/ics-attack/relationship/relationship--84fa50ff-bb84-4ab6-b759-658c57532c42.json +++ b/ics-attack/relationship/relationship--84fa50ff-bb84-4ab6-b759-658c57532c42.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cd1335ec-5fd8-442b-8989-36c4f875aeab", + "id": "bundle--2ee91a00-6cb7-4ac5-8981-e2e516b7479f", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--84fa50ff-bb84-4ab6-b759-658c57532c42", "created": "2023-09-29T16:32:09.319Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:27.783Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--84fd1e14-44a8-4eac-9bfc-67b50ea1acf7.json b/ics-attack/relationship/relationship--84fd1e14-44a8-4eac-9bfc-67b50ea1acf7.json index d1e8d122ba..e0c7d8f001 100644 --- a/ics-attack/relationship/relationship--84fd1e14-44a8-4eac-9bfc-67b50ea1acf7.json +++ b/ics-attack/relationship/relationship--84fd1e14-44a8-4eac-9bfc-67b50ea1acf7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--85f22aed-75ca-4fb3-9a2b-3c264ae75c99", + "id": "bundle--388523b3-e698-4e24-ab5f-2ba4b85312a0", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--84fd1e14-44a8-4eac-9bfc-67b50ea1acf7", "created": "2023-09-29T18:01:32.878Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:28.038Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--8530c1ea-fe9f-4b04-be34-7404d5e30e75.json b/ics-attack/relationship/relationship--8530c1ea-fe9f-4b04-be34-7404d5e30e75.json index 820e9aa70c..57298054c4 100644 --- a/ics-attack/relationship/relationship--8530c1ea-fe9f-4b04-be34-7404d5e30e75.json +++ b/ics-attack/relationship/relationship--8530c1ea-fe9f-4b04-be34-7404d5e30e75.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e1da5fec-673e-40b6-bab1-bb2f886652fa", + "id": "bundle--c180ab32-c0cb-468c-9ad8-d022a440a5b0", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--8530c1ea-fe9f-4b04-be34-7404d5e30e75", "created": "2023-09-29T17:59:22.291Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:28.278Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--856cf76e-5058-41f0-ae71-6cb463fc36c7.json b/ics-attack/relationship/relationship--856cf76e-5058-41f0-ae71-6cb463fc36c7.json index 8c296ef9f5..9c29ff823b 100644 --- a/ics-attack/relationship/relationship--856cf76e-5058-41f0-ae71-6cb463fc36c7.json +++ b/ics-attack/relationship/relationship--856cf76e-5058-41f0-ae71-6cb463fc36c7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--29729a2d-c2bf-4c28-b86e-02caec11d36d", + "id": "bundle--7f3f1595-22a5-4282-bb20-28c0316cfdb4", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--856cf76e-5058-41f0-ae71-6cb463fc36c7", "created": "2025-09-24T18:18:02.902Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--856e18a8-df82-402a-9105-ff4b7e4caf12.json b/ics-attack/relationship/relationship--856e18a8-df82-402a-9105-ff4b7e4caf12.json index deb1398907..34e356a387 100644 --- a/ics-attack/relationship/relationship--856e18a8-df82-402a-9105-ff4b7e4caf12.json +++ b/ics-attack/relationship/relationship--856e18a8-df82-402a-9105-ff4b7e4caf12.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--86fb0b59-c056-444f-8bab-d3e648759e21", + "id": "bundle--08ea1fa3-9f35-4bd3-8558-c06998376b49", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--856e18a8-df82-402a-9105-ff4b7e4caf12", "created": "2024-11-20T23:07:17.528Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos FROSTYGOOP 2024", diff --git a/ics-attack/relationship/relationship--85b1bbb1-458f-4be3-8bd9-ef0fa23179ee.json b/ics-attack/relationship/relationship--85b1bbb1-458f-4be3-8bd9-ef0fa23179ee.json index a8cb3e2394..cf8548d81f 100644 --- a/ics-attack/relationship/relationship--85b1bbb1-458f-4be3-8bd9-ef0fa23179ee.json +++ b/ics-attack/relationship/relationship--85b1bbb1-458f-4be3-8bd9-ef0fa23179ee.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5f2b833f-1bb8-4d19-9717-8a8a08513b85", + "id": "bundle--f4d94bd5-3812-47d1-9a75-be73aea61cbb", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--85b1bbb1-458f-4be3-8bd9-ef0fa23179ee", "created": "2025-09-29T18:57:01.145Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--86668811-c57b-4aba-860f-22ca4d7b9600.json b/ics-attack/relationship/relationship--86668811-c57b-4aba-860f-22ca4d7b9600.json index 86db65ac5d..cbcc6ecec6 100644 --- a/ics-attack/relationship/relationship--86668811-c57b-4aba-860f-22ca4d7b9600.json +++ b/ics-attack/relationship/relationship--86668811-c57b-4aba-860f-22ca4d7b9600.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2c5a25e4-e447-4ce2-b5a5-c7a2ead67b2e", + "id": "bundle--8473b2f4-3a61-4721-8842-b85d9fa598f2", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--86668811-c57b-4aba-860f-22ca4d7b9600", "created": "2025-09-29T19:05:59.118Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--868db512-b897-4a54-ae56-ac78f6c93a14.json b/ics-attack/relationship/relationship--868db512-b897-4a54-ae56-ac78f6c93a14.json index 7c679da77c..3c941cb3e0 100644 --- a/ics-attack/relationship/relationship--868db512-b897-4a54-ae56-ac78f6c93a14.json +++ b/ics-attack/relationship/relationship--868db512-b897-4a54-ae56-ac78f6c93a14.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--afcf5c7c-1147-4600-9587-48321f15a48e", + "id": "bundle--24f31068-b639-410b-9610-1d99a4ceabf9", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--868db512-b897-4a54-ae56-ac78f6c93a14", "created": "2022-09-28T20:29:18.027Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "CISA-AA22-103A", diff --git a/ics-attack/relationship/relationship--86a8d6aa-beff-4343-a0b2-dd099202b2dc.json b/ics-attack/relationship/relationship--86a8d6aa-beff-4343-a0b2-dd099202b2dc.json index 04e790734f..3de4c98270 100644 --- a/ics-attack/relationship/relationship--86a8d6aa-beff-4343-a0b2-dd099202b2dc.json +++ b/ics-attack/relationship/relationship--86a8d6aa-beff-4343-a0b2-dd099202b2dc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--04bf5225-8a35-4043-ac24-92654afc8fcf", + "id": "bundle--63a794f5-5576-470b-b28b-ef77e3af1fd9", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--86a8d6aa-beff-4343-a0b2-dd099202b2dc", "created": "2023-09-28T19:58:13.866Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:29.013Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--86d04319-a13e-4105-9def-c659360c4613.json b/ics-attack/relationship/relationship--86d04319-a13e-4105-9def-c659360c4613.json new file mode 100644 index 0000000000..e8a4d774e2 --- /dev/null +++ b/ics-attack/relationship/relationship--86d04319-a13e-4105-9def-c659360c4613.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--9a2601b4-cb75-4a81-bf08-8a5c533578cc", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--86d04319-a13e-4105-9def-c659360c4613", + "created": "2026-04-22T20:28:54.853Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T19:41:03.866Z", + "description": "Ensure proper network segmentation is followed to protect critical systems and devices.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--86f1655a-db46-4d49-9051-6653da83eb13.json b/ics-attack/relationship/relationship--86f1655a-db46-4d49-9051-6653da83eb13.json index e4d41f66ee..04cabe8c98 100644 --- a/ics-attack/relationship/relationship--86f1655a-db46-4d49-9051-6653da83eb13.json +++ b/ics-attack/relationship/relationship--86f1655a-db46-4d49-9051-6653da83eb13.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2b696a19-dbfc-4269-9019-4581b9f10fab", + "id": "bundle--2391c6ab-38a7-48f2-9832-09e8c05efb52", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--86f1655a-db46-4d49-9051-6653da83eb13", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Keith Stouffer May 2015", diff --git a/ics-attack/relationship/relationship--876e4a50-7c73-4733-bad0-e3a701adf059.json b/ics-attack/relationship/relationship--876e4a50-7c73-4733-bad0-e3a701adf059.json index 085f6fc8fc..bb38c723f0 100644 --- a/ics-attack/relationship/relationship--876e4a50-7c73-4733-bad0-e3a701adf059.json +++ b/ics-attack/relationship/relationship--876e4a50-7c73-4733-bad0-e3a701adf059.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f2b69a50-75f3-4d73-85cc-5a193c127f2f", + "id": "bundle--75ee984f-c2a1-4f7c-a321-3892e52fb15d", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--876e4a50-7c73-4733-bad0-e3a701adf059", "created": "2025-09-29T21:58:16.538Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--87a546cf-387f-48c6-9b0f-1179af49be88.json b/ics-attack/relationship/relationship--87a546cf-387f-48c6-9b0f-1179af49be88.json new file mode 100644 index 0000000000..6e657747f2 --- /dev/null +++ b/ics-attack/relationship/relationship--87a546cf-387f-48c6-9b0f-1179af49be88.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--67fc50de-92ef-4d54-83cf-ffe807cbedeb", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--87a546cf-387f-48c6-9b0f-1179af49be88", + "created": "2026-04-22T22:48:12.355Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:48:12.355Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--87c8ab74-576d-4962-b641-0762d374d1e8.json b/ics-attack/relationship/relationship--87c8ab74-576d-4962-b641-0762d374d1e8.json index 98f84f875b..bc28232a0f 100644 --- a/ics-attack/relationship/relationship--87c8ab74-576d-4962-b641-0762d374d1e8.json +++ b/ics-attack/relationship/relationship--87c8ab74-576d-4962-b641-0762d374d1e8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--848f6bbe-5fe1-45fc-bdaa-9b11cb9614e7", + "id": "bundle--be99e61b-dd01-4744-bdc4-690195020afd", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--87c8ab74-576d-4962-b641-0762d374d1e8", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", diff --git a/ics-attack/relationship/relationship--88363abe-64e6-4a4a-9d6e-e9a886f1d372.json b/ics-attack/relationship/relationship--88363abe-64e6-4a4a-9d6e-e9a886f1d372.json index c3d390b752..9a8c5771fa 100644 --- a/ics-attack/relationship/relationship--88363abe-64e6-4a4a-9d6e-e9a886f1d372.json +++ b/ics-attack/relationship/relationship--88363abe-64e6-4a4a-9d6e-e9a886f1d372.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--37083c96-a72a-4437-8c02-0ed6d75f0c68", + "id": "bundle--75894969-3961-40dd-a790-4239b686087b", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--825106d1-6f44-47a1-b8dd-c3e3b6cecab7", "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", diff --git a/ics-attack/relationship/relationship--88402181-99da-4c51-93d2-5203ee139da5.json b/ics-attack/relationship/relationship--88402181-99da-4c51-93d2-5203ee139da5.json index ee7b3930f7..d940e06a5f 100644 --- a/ics-attack/relationship/relationship--88402181-99da-4c51-93d2-5203ee139da5.json +++ b/ics-attack/relationship/relationship--88402181-99da-4c51-93d2-5203ee139da5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a5821304-28f4-4458-9d5d-189b2da5d9be", + "id": "bundle--4a6c89ab-98c3-46ec-9ef5-89fdce25175d", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--fddbd892-faa2-40e1-b40d-2c6e33c00f14", "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", diff --git a/ics-attack/relationship/relationship--8869fa66-e54f-4c03-8290-a86a0cd0d8d6.json b/ics-attack/relationship/relationship--8869fa66-e54f-4c03-8290-a86a0cd0d8d6.json new file mode 100644 index 0000000000..51db35b834 --- /dev/null +++ b/ics-attack/relationship/relationship--8869fa66-e54f-4c03-8290-a86a0cd0d8d6.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--3f5bbdd2-c1ef-45ec-87c4-96f40d651549", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--8869fa66-e54f-4c03-8290-a86a0cd0d8d6", + "created": "2026-04-22T13:27:29.300Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T13:27:29.300Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0c284ce0-0be2-4164-b686-7c383b246aec.json b/ics-attack/relationship/relationship--88c470f0-7214-4a2b-bd35-3c71733ce392.json similarity index 77% rename from ics-attack/relationship/relationship--0c284ce0-0be2-4164-b686-7c383b246aec.json rename to ics-attack/relationship/relationship--88c470f0-7214-4a2b-bd35-3c71733ce392.json index 9694f08625..25e254497f 100644 --- a/ics-attack/relationship/relationship--0c284ce0-0be2-4164-b686-7c383b246aec.json +++ b/ics-attack/relationship/relationship--88c470f0-7214-4a2b-bd35-3c71733ce392.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--26849d8e-84a8-430e-a785-8d9bf7e5c982", + "id": "bundle--4102af47-cdf3-49fc-8e37-d679ee44154b", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--0c284ce0-0be2-4164-b686-7c383b246aec", + "id": "relationship--88c470f0-7214-4a2b-bd35-3c71733ce392", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -29,14 +29,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:01:03.032Z", - "description": "Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. (Citation: N/A) Move system's root of trust to hardware to prevent tampering with the SPI flash memory. (Citation: ESET Research Whitepapers September 2018) Technologies such as Intel Boot Guard can assist with this. (Citation: Intel)\n", + "modified": "2026-04-23T19:26:53.568Z", + "description": "Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology.(Citation: N/A) Move system's root of trust to hardware to prevent tampering with the SPI flash memory.(Citation: ESET Research Whitepapers September 2018) Technologies such as Intel Boot Guard can assist with this.(Citation: Intel)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--33bc3e6f-e8cb-40ea-8088-3de39e2490a7.json b/ics-attack/relationship/relationship--88cadeca-4012-4716-a095-9e1c79e59ec3.json similarity index 71% rename from ics-attack/relationship/relationship--33bc3e6f-e8cb-40ea-8088-3de39e2490a7.json rename to ics-attack/relationship/relationship--88cadeca-4012-4716-a095-9e1c79e59ec3.json index 46c8696d2c..64dda6a75b 100644 --- a/ics-attack/relationship/relationship--33bc3e6f-e8cb-40ea-8088-3de39e2490a7.json +++ b/ics-attack/relationship/relationship--88cadeca-4012-4716-a095-9e1c79e59ec3.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--b774948f-0531-4256-9635-e8718b2be770", + "id": "bundle--36f0cd71-0399-467a-8ac8-aab6a7f7c39c", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--33bc3e6f-e8cb-40ea-8088-3de39e2490a7", + "id": "relationship--88cadeca-4012-4716-a095-9e1c79e59ec3", "created": "2023-09-29T16:47:08.696Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:50.768Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "source_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--88edcf36-a6f2-474f-b9c2-7800b34919a2.json b/ics-attack/relationship/relationship--88edcf36-a6f2-474f-b9c2-7800b34919a2.json index 2af370d881..8c64e76900 100644 --- a/ics-attack/relationship/relationship--88edcf36-a6f2-474f-b9c2-7800b34919a2.json +++ b/ics-attack/relationship/relationship--88edcf36-a6f2-474f-b9c2-7800b34919a2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d2875224-7351-445e-af0c-edd1f7eec5ad", + "id": "bundle--aa87ee40-63ee-4029-acd2-3300b9674e28", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--88edcf36-a6f2-474f-b9c2-7800b34919a2", "created": "2023-09-28T21:24:07.864Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:31.654Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--890ddf20-18a6-4d23-98dd-970478133169.json b/ics-attack/relationship/relationship--890ddf20-18a6-4d23-98dd-970478133169.json new file mode 100644 index 0000000000..fdc3a8b908 --- /dev/null +++ b/ics-attack/relationship/relationship--890ddf20-18a6-4d23-98dd-970478133169.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--a1cc9b11-db15-4717-9b30-4b3fc21322d4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--890ddf20-18a6-4d23-98dd-970478133169", + "created": "2026-04-22T22:35:51.042Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:35:51.042Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--896e91ed-b145-43c2-a4c6-aa768fcb5293.json b/ics-attack/relationship/relationship--896e91ed-b145-43c2-a4c6-aa768fcb5293.json index 5bf6b9f391..f049d88bb9 100644 --- a/ics-attack/relationship/relationship--896e91ed-b145-43c2-a4c6-aa768fcb5293.json +++ b/ics-attack/relationship/relationship--896e91ed-b145-43c2-a4c6-aa768fcb5293.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b115475b-c141-4797-888c-f103655644ef", + "id": "bundle--d07cac02-68ac-420c-882e-cacaa73f999a", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--896e91ed-b145-43c2-a4c6-aa768fcb5293", "created": "2025-09-29T19:49:53.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--897cfc36-4253-4e1e-8825-726dbe9088a2.json b/ics-attack/relationship/relationship--897cfc36-4253-4e1e-8825-726dbe9088a2.json index ac52e84e23..3b136e543e 100644 --- a/ics-attack/relationship/relationship--897cfc36-4253-4e1e-8825-726dbe9088a2.json +++ b/ics-attack/relationship/relationship--897cfc36-4253-4e1e-8825-726dbe9088a2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--03cad0d4-484f-4f4a-aa01-63112d727189", + "id": "bundle--73be9fb6-41d3-485e-868e-13358e950b9a", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--897cfc36-4253-4e1e-8825-726dbe9088a2", "created": "2023-09-28T19:55:02.944Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:32.235Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--6a5922e1-e282-464d-9e71-ce2c2ed44908.json b/ics-attack/relationship/relationship--898a9eb9-671e-4096-8288-72ffb49e93f3.json similarity index 88% rename from ics-attack/relationship/relationship--6a5922e1-e282-464d-9e71-ce2c2ed44908.json rename to ics-attack/relationship/relationship--898a9eb9-671e-4096-8288-72ffb49e93f3.json index 800bd27c8e..307353d0d9 100644 --- a/ics-attack/relationship/relationship--6a5922e1-e282-464d-9e71-ce2c2ed44908.json +++ b/ics-attack/relationship/relationship--898a9eb9-671e-4096-8288-72ffb49e93f3.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--29469d31-a409-4be8-b83d-851e2aad3f32", + "id": "bundle--d0859fe0-2323-4bb8-ad67-7b6f5d02d200", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--6a5922e1-e282-464d-9e71-ce2c2ed44908", + "id": "relationship--898a9eb9-671e-4096-8288-72ffb49e93f3", "created": "2023-03-30T19:25:53.572Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -28,10 +28,10 @@ "description": "[Industroyer2](https://attack.mitre.org/software/S1072) is capable of sending command messages from the compromised device to target remote stations to open data channels, retrieve the location and values of Information Object Addresses (IOAs), and modify the IO state values through Select Before Operate I/O, Select/Execute, and Invert Default State operations.(Citation: Industroyer2 Mandiant April 2022)(Citation: Industroyer2 Forescout July 2022)", "relationship_type": "uses", "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd.json b/ics-attack/relationship/relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd.json index 480530e07d..6236b395ee 100644 --- a/ics-attack/relationship/relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd.json +++ b/ics-attack/relationship/relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--559520dd-c2be-4d29-98a3-f56ddbf6d7bb", + "id": "bundle--e9cd8b4d-4a05-4721-b31c-1898ddc868bf", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd", "created": "2021-10-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", diff --git a/ics-attack/relationship/relationship--8a3a5d90-a030-479e-b38d-d7d749f327d1.json b/ics-attack/relationship/relationship--8a3a5d90-a030-479e-b38d-d7d749f327d1.json index d8c05d39d3..1ffe1019e6 100644 --- a/ics-attack/relationship/relationship--8a3a5d90-a030-479e-b38d-d7d749f327d1.json +++ b/ics-attack/relationship/relationship--8a3a5d90-a030-479e-b38d-d7d749f327d1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a3889087-92fb-4880-b000-e165adaabdea", + "id": "bundle--7662f906-c508-496f-8ad5-bcaacbf770e1", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--8a3a5d90-a030-479e-b38d-d7d749f327d1", "created": "2025-09-29T19:08:00.768Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--8a765743-9caf-4c8a-9c58-6fe2c1993108.json b/ics-attack/relationship/relationship--8a765743-9caf-4c8a-9c58-6fe2c1993108.json index 942a5c2f60..7bc2ece30b 100644 --- a/ics-attack/relationship/relationship--8a765743-9caf-4c8a-9c58-6fe2c1993108.json +++ b/ics-attack/relationship/relationship--8a765743-9caf-4c8a-9c58-6fe2c1993108.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ff8180fc-3f02-4993-9b50-7423956a8bd0", + "id": "bundle--4848b973-93fa-4ceb-b943-f91ee25daecc", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--8a765743-9caf-4c8a-9c58-6fe2c1993108", "created": "2023-09-29T16:42:43.736Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:33.311Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--8a7c4419-b2c6-4774-bcba-a28fc6c5bcce.json b/ics-attack/relationship/relationship--8a7c4419-b2c6-4774-bcba-a28fc6c5bcce.json index a199d25891..f91c247226 100644 --- a/ics-attack/relationship/relationship--8a7c4419-b2c6-4774-bcba-a28fc6c5bcce.json +++ b/ics-attack/relationship/relationship--8a7c4419-b2c6-4774-bcba-a28fc6c5bcce.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f000722d-b89f-4c8f-9c81-64644c5b9682", + "id": "bundle--be9b418f-280e-42d9-9a51-bc9cdb414b0a", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--74b96bd4-dab9-494e-a540-b7c998581fd5", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", diff --git a/ics-attack/relationship/relationship--8a80c4f3-8f5b-4b22-b2e8-ad472d4df89d.json b/ics-attack/relationship/relationship--8a80c4f3-8f5b-4b22-b2e8-ad472d4df89d.json new file mode 100644 index 0000000000..7e4c41489b --- /dev/null +++ b/ics-attack/relationship/relationship--8a80c4f3-8f5b-4b22-b2e8-ad472d4df89d.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--33f914d8-42a8-45f3-ac2b-16512460bd76", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--8a80c4f3-8f5b-4b22-b2e8-ad472d4df89d", + "created": "2026-04-23T00:37:26.011Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:37:26.011Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--8a86ad59-dff1-46dc-8ffd-3c62b96c6e62.json b/ics-attack/relationship/relationship--8a86ad59-dff1-46dc-8ffd-3c62b96c6e62.json index aa385aa7cc..8eee4fb02e 100644 --- a/ics-attack/relationship/relationship--8a86ad59-dff1-46dc-8ffd-3c62b96c6e62.json +++ b/ics-attack/relationship/relationship--8a86ad59-dff1-46dc-8ffd-3c62b96c6e62.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--76c43d99-0844-4ef7-ba97-f755a953d1fc", + "id": "bundle--147fad26-3ace-4d94-8db2-ab61c5c83f25", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--8a86ad59-dff1-46dc-8ffd-3c62b96c6e62", "created": "2023-09-27T14:50:09.612Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", diff --git a/ics-attack/relationship/relationship--8a9fde66-7874-4418-8652-d8a987c0b5df.json b/ics-attack/relationship/relationship--8a9fde66-7874-4418-8652-d8a987c0b5df.json index 304a688757..7343f5e449 100644 --- a/ics-attack/relationship/relationship--8a9fde66-7874-4418-8652-d8a987c0b5df.json +++ b/ics-attack/relationship/relationship--8a9fde66-7874-4418-8652-d8a987c0b5df.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1ab35cac-0f1c-428d-8372-e644aea84286", + "id": "bundle--d8a7b920-1774-4f69-b4f7-5f3c5e1d0bbd", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--8a9fde66-7874-4418-8652-d8a987c0b5df", "created": "2025-09-29T22:05:35.591Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--43ab2ba4-4bb7-4d5d-83ad-c87ef3f05e7d.json b/ics-attack/relationship/relationship--8ab684f0-96e1-4a4f-b139-44afd8d093f2.json similarity index 78% rename from ics-attack/relationship/relationship--43ab2ba4-4bb7-4d5d-83ad-c87ef3f05e7d.json rename to ics-attack/relationship/relationship--8ab684f0-96e1-4a4f-b139-44afd8d093f2.json index a0c30f3992..7fdc3112d6 100644 --- a/ics-attack/relationship/relationship--43ab2ba4-4bb7-4d5d-83ad-c87ef3f05e7d.json +++ b/ics-attack/relationship/relationship--8ab684f0-96e1-4a4f-b139-44afd8d093f2.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--665c9a0d-04fb-4f29-9498-ff1cf9e34fd6", + "id": "bundle--5f7f0625-1e75-4044-9b76-0a1b2bce4328", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--43ab2ba4-4bb7-4d5d-83ad-c87ef3f05e7d", + "id": "relationship--8ab684f0-96e1-4a4f-b139-44afd8d093f2", "created": "2025-09-29T19:08:29.213Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -14,7 +14,7 @@ ], "modified": "2025-09-29T19:08:29.213Z", "relationship_type": "targets", - "source_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "source_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, diff --git a/ics-attack/relationship/relationship--8b17ad46-b0cc-4766-9cae-eba32260d468.json b/ics-attack/relationship/relationship--8b17ad46-b0cc-4766-9cae-eba32260d468.json index 9ecc525dbc..6f16ebc7da 100644 --- a/ics-attack/relationship/relationship--8b17ad46-b0cc-4766-9cae-eba32260d468.json +++ b/ics-attack/relationship/relationship--8b17ad46-b0cc-4766-9cae-eba32260d468.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e0ab63b0-0408-477d-b69a-604c1594d3be", + "id": "bundle--bfd141aa-25c7-4dd0-8181-d551277d5540", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8b2d82aa-75fc-4d6d-bb4b-9f600bd211fd.json b/ics-attack/relationship/relationship--8b2d82aa-75fc-4d6d-bb4b-9f600bd211fd.json index 9ef0be0ca9..1650094150 100644 --- a/ics-attack/relationship/relationship--8b2d82aa-75fc-4d6d-bb4b-9f600bd211fd.json +++ b/ics-attack/relationship/relationship--8b2d82aa-75fc-4d6d-bb4b-9f600bd211fd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cc7d7a1a-9ed8-4994-bab5-61be388177cf", + "id": "bundle--150b153f-d9eb-451e-b612-e10b4b272ff1", "spec_version": "2.0", "objects": [ { @@ -19,14 +19,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:03:34.317Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) uses TriStations default UDP port, 1502, to communicate with devices. (Citation: MDudek-ICS)", + "modified": "2026-04-17T16:33:42.807Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) uses TriStations default UDP port, 1502, to communicate with devices.(Citation: MDudek-ICS)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--8b303086-8ae7-415b-b46d-16ce814aa94f.json b/ics-attack/relationship/relationship--8b303086-8ae7-415b-b46d-16ce814aa94f.json new file mode 100644 index 0000000000..8503950515 --- /dev/null +++ b/ics-attack/relationship/relationship--8b303086-8ae7-415b-b46d-16ce814aa94f.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--0f6b6d3c-5145-489b-8dca-f5a80bf98e62", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--8b303086-8ae7-415b-b46d-16ce814aa94f", + "created": "2026-04-22T16:35:32.349Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:35:32.350Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--8b3f5b8c-789e-4f61-8e5c-fb28f8662d32.json b/ics-attack/relationship/relationship--8b3f5b8c-789e-4f61-8e5c-fb28f8662d32.json index 491d1181c4..4c466f0755 100644 --- a/ics-attack/relationship/relationship--8b3f5b8c-789e-4f61-8e5c-fb28f8662d32.json +++ b/ics-attack/relationship/relationship--8b3f5b8c-789e-4f61-8e5c-fb28f8662d32.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--36c87fb0-56d3-4988-ad6d-8857c0c6fd12", + "id": "bundle--e55cb5a6-eff1-49b7-8a68-145159bca1ba", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--8b3f5b8c-789e-4f61-8e5c-fb28f8662d32", "created": "2025-09-24T18:18:43.657Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--8b698bb5-5b69-4137-a3d4-f3acf251f87b.json b/ics-attack/relationship/relationship--8b698bb5-5b69-4137-a3d4-f3acf251f87b.json new file mode 100644 index 0000000000..81c08369f0 --- /dev/null +++ b/ics-attack/relationship/relationship--8b698bb5-5b69-4137-a3d4-f3acf251f87b.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--25aac2bd-9cd6-4c26-b07c-9d0f7be9ce80", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--8b698bb5-5b69-4137-a3d4-f3acf251f87b", + "created": "2026-04-22T16:39:55.588Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:39:55.588Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--8b7403f5-90d2-4d2c-a484-87d29f419a9f.json b/ics-attack/relationship/relationship--8b7403f5-90d2-4d2c-a484-87d29f419a9f.json index 36c239e41b..f743131999 100644 --- a/ics-attack/relationship/relationship--8b7403f5-90d2-4d2c-a484-87d29f419a9f.json +++ b/ics-attack/relationship/relationship--8b7403f5-90d2-4d2c-a484-87d29f419a9f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--58a42c66-af92-4b7e-8101-d72b0f9612d6", + "id": "bundle--ae99b8aa-eacd-4519-bff3-953549cc73ae", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--8b7403f5-90d2-4d2c-a484-87d29f419a9f", "created": "2023-09-27T14:49:29.987Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", diff --git a/ics-attack/relationship/relationship--8c03fd0a-646f-4d79-83fc-8ec428191810.json b/ics-attack/relationship/relationship--8c03fd0a-646f-4d79-83fc-8ec428191810.json new file mode 100644 index 0000000000..3a0f4ea944 --- /dev/null +++ b/ics-attack/relationship/relationship--8c03fd0a-646f-4d79-83fc-8ec428191810.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--bf9af657-9d80-4509-a626-f194f0743087", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--8c03fd0a-646f-4d79-83fc-8ec428191810", + "created": "2026-04-20T20:54:24.019Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:24.019Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--8c523980-7db0-4173-9df4-eba2c36f6655.json b/ics-attack/relationship/relationship--8c523980-7db0-4173-9df4-eba2c36f6655.json index b17be3615d..6e5caec196 100644 --- a/ics-attack/relationship/relationship--8c523980-7db0-4173-9df4-eba2c36f6655.json +++ b/ics-attack/relationship/relationship--8c523980-7db0-4173-9df4-eba2c36f6655.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c8a2a45b-f01a-489c-8165-bfdcf6b61b26", + "id": "bundle--bd181623-0c46-4e57-86f3-d61e80459903", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--8c523980-7db0-4173-9df4-eba2c36f6655", "created": "2025-09-29T21:59:04.286Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--8c6fe57d-3344-4fe7-b547-a3c5046960bb.json b/ics-attack/relationship/relationship--8c6fe57d-3344-4fe7-b547-a3c5046960bb.json index 9439a41592..538954222f 100644 --- a/ics-attack/relationship/relationship--8c6fe57d-3344-4fe7-b547-a3c5046960bb.json +++ b/ics-attack/relationship/relationship--8c6fe57d-3344-4fe7-b547-a3c5046960bb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3de21872-bb99-494a-8430-19eb784bb8e3", + "id": "bundle--aa070075-8896-4b0c-a8b7-57abcacc30ea", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--8c6fe57d-3344-4fe7-b547-a3c5046960bb", "created": "2025-09-24T18:12:11.580Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec.json b/ics-attack/relationship/relationship--8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec.json index 53d4ca1aec..bfcebb6d89 100644 --- a/ics-attack/relationship/relationship--8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec.json +++ b/ics-attack/relationship/relationship--8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e40e6fac-dc7a-4818-80a6-e59333e55327", + "id": "bundle--22836fb3-1414-4f25-90f4-ed029d8a4fd9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8ccd5f5c-420a-413b-81ef-5e40f401be95.json b/ics-attack/relationship/relationship--8ccd5f5c-420a-413b-81ef-5e40f401be95.json index 955218054b..7869430723 100644 --- a/ics-attack/relationship/relationship--8ccd5f5c-420a-413b-81ef-5e40f401be95.json +++ b/ics-attack/relationship/relationship--8ccd5f5c-420a-413b-81ef-5e40f401be95.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ea344ab4-0742-4f80-8b6c-d9870a22c988", + "id": "bundle--e20f8287-3415-40a3-8e93-65b944aa81ad", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--8ccd5f5c-420a-413b-81ef-5e40f401be95", "created": "2023-09-28T20:31:46.082Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:35.783Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--ac7b64c8-cac9-4efb-990e-eed5e7fb35ee.json b/ics-attack/relationship/relationship--8d0793f1-e818-4632-8fb6-8c4aa5c7f073.json similarity index 83% rename from ics-attack/relationship/relationship--ac7b64c8-cac9-4efb-990e-eed5e7fb35ee.json rename to ics-attack/relationship/relationship--8d0793f1-e818-4632-8fb6-8c4aa5c7f073.json index d62e88ec03..d78b5308d4 100644 --- a/ics-attack/relationship/relationship--ac7b64c8-cac9-4efb-990e-eed5e7fb35ee.json +++ b/ics-attack/relationship/relationship--8d0793f1-e818-4632-8fb6-8c4aa5c7f073.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--e9620158-c11d-4e24-a2a3-c7f90a768ff9", + "id": "bundle--d74dea05-b948-45bb-9515-e9cc2f14476f", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--ac7b64c8-cac9-4efb-990e-eed5e7fb35ee", + "id": "relationship--8d0793f1-e818-4632-8fb6-8c4aa5c7f073", "created": "2024-11-20T23:26:28.979Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -23,10 +23,10 @@ "description": "During [FrostyGoop Incident](https://attack.mitre.org/campaigns/C0041), the adversary initiated a firmware downgrade on impacted devices.(Citation: Dragos FROSTYGOOP 2024)", "relationship_type": "uses", "source_ref": "campaign--1169ff24-b35f-4d8d-8cf3-643a2834227f", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--8d0d6365-7bc0-417d-9268-c7c31fcb0d91.json b/ics-attack/relationship/relationship--8d0d6365-7bc0-417d-9268-c7c31fcb0d91.json index 734b06f547..9f6415f07d 100644 --- a/ics-attack/relationship/relationship--8d0d6365-7bc0-417d-9268-c7c31fcb0d91.json +++ b/ics-attack/relationship/relationship--8d0d6365-7bc0-417d-9268-c7c31fcb0d91.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1cb73078-eec5-4480-a2f8-822f2bdfb5b4", + "id": "bundle--0be77756-4f1c-47ba-b602-90f228f2f152", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--8d0d6365-7bc0-417d-9268-c7c31fcb0d91", "created": "2023-09-27T14:49:48.589Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Ukraine15 - EISAC - 201603", diff --git a/ics-attack/relationship/relationship--8d392c6e-1368-4c6f-a189-aaf4c6355e55.json b/ics-attack/relationship/relationship--8d392c6e-1368-4c6f-a189-aaf4c6355e55.json index e5883ef8c7..273ec9ade5 100644 --- a/ics-attack/relationship/relationship--8d392c6e-1368-4c6f-a189-aaf4c6355e55.json +++ b/ics-attack/relationship/relationship--8d392c6e-1368-4c6f-a189-aaf4c6355e55.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6640a38d-f56b-45ec-beae-b8aa950c3377", + "id": "bundle--b1e7449b-7940-4b30-9081-2da376a7ad41", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--09754c36-7be2-4536-aad2-a6c3568ba0e5", "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", diff --git a/ics-attack/relationship/relationship--8d39646f-b224-4209-8c05-15002ea797b9.json b/ics-attack/relationship/relationship--8d39646f-b224-4209-8c05-15002ea797b9.json new file mode 100644 index 0000000000..00dc5cdea2 --- /dev/null +++ b/ics-attack/relationship/relationship--8d39646f-b224-4209-8c05-15002ea797b9.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--5159ba17-d81c-4f0c-a360-67c05c118a7e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--8d39646f-b224-4209-8c05-15002ea797b9", + "created": "2026-04-23T00:29:36.779Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:29:36.779Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--8d4d0ce4-ca42-4a05-a959-89d6af2650e2.json b/ics-attack/relationship/relationship--8d4d0ce4-ca42-4a05-a959-89d6af2650e2.json new file mode 100644 index 0000000000..ddd61a789a --- /dev/null +++ b/ics-attack/relationship/relationship--8d4d0ce4-ca42-4a05-a959-89d6af2650e2.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--627a7d91-1ccb-4abe-abad-cacb00218e04", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--8d4d0ce4-ca42-4a05-a959-89d6af2650e2", + "created": "2026-04-22T20:26:41.624Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:26:41.624Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--bb553fda-8355-40bc-87c6-5ae25124fa95", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--8d7e2aa5-129a-4060-88ae-9fc066af13c7.json b/ics-attack/relationship/relationship--8d7e2aa5-129a-4060-88ae-9fc066af13c7.json index f7cdd319c5..1eaff16317 100644 --- a/ics-attack/relationship/relationship--8d7e2aa5-129a-4060-88ae-9fc066af13c7.json +++ b/ics-attack/relationship/relationship--8d7e2aa5-129a-4060-88ae-9fc066af13c7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e55113f9-7fde-42f0-8159-c4fa2a1da6a9", + "id": "bundle--bfc10c6e-9e76-4fab-9881-367b8b54ab6e", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--8d7e2aa5-129a-4060-88ae-9fc066af13c7", "created": "2023-09-28T21:25:20.417Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:36.191Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--8e11c3ef-4ee3-4a91-868f-d0a1c10d538b.json b/ics-attack/relationship/relationship--8e11c3ef-4ee3-4a91-868f-d0a1c10d538b.json index 0bfae469fe..8307c80d87 100644 --- a/ics-attack/relationship/relationship--8e11c3ef-4ee3-4a91-868f-d0a1c10d538b.json +++ b/ics-attack/relationship/relationship--8e11c3ef-4ee3-4a91-868f-d0a1c10d538b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c877ea01-b08f-4106-b9fd-5b7d60a3c63e", + "id": "bundle--a5630b56-ea0e-4a6a-b288-83063503b901", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--2145faf1-28da-4ebc-9730-f2e2a8764ced", "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", diff --git a/ics-attack/relationship/relationship--8ecf5eac-7767-411b-b54a-b374ea51b9e9.json b/ics-attack/relationship/relationship--8ecf5eac-7767-411b-b54a-b374ea51b9e9.json index 850718ce30..2fc9882281 100644 --- a/ics-attack/relationship/relationship--8ecf5eac-7767-411b-b54a-b374ea51b9e9.json +++ b/ics-attack/relationship/relationship--8ecf5eac-7767-411b-b54a-b374ea51b9e9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--36abab6e-2ab9-42ab-a032-33a244a9ddad", + "id": "bundle--c13e4f57-bf44-4937-86f6-05124c7afd1d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8ed7e323-578c-4a62-bf32-0bf2fefa872b.json b/ics-attack/relationship/relationship--8ed7e323-578c-4a62-bf32-0bf2fefa872b.json index 234bd77faf..aac4bb1704 100644 --- a/ics-attack/relationship/relationship--8ed7e323-578c-4a62-bf32-0bf2fefa872b.json +++ b/ics-attack/relationship/relationship--8ed7e323-578c-4a62-bf32-0bf2fefa872b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f5e9e425-2ba0-423c-b996-60995cc60386", + "id": "bundle--c21f0bd5-e5b9-4986-a471-a1e54b220f10", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--8ed7e323-578c-4a62-bf32-0bf2fefa872b", "created": "2023-09-29T17:05:44.653Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:37.044Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", diff --git a/ics-attack/relationship/relationship--8f76d408-be8a-478e-8a5a-aab1d1f96572.json b/ics-attack/relationship/relationship--8f76d408-be8a-478e-8a5a-aab1d1f96572.json index 1085cea672..cc473a9bc4 100644 --- a/ics-attack/relationship/relationship--8f76d408-be8a-478e-8a5a-aab1d1f96572.json +++ b/ics-attack/relationship/relationship--8f76d408-be8a-478e-8a5a-aab1d1f96572.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c5be7ceb-dbaf-4e4c-a846-a94da04b74d1", + "id": "bundle--9958acfd-81c8-4e68-849f-0cd6168d16bb", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--8f76d408-be8a-478e-8a5a-aab1d1f96572", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", diff --git a/ics-attack/relationship/relationship--8f7ccb2b-de2a-4a5c-9f1e-d5e58e69efa8.json b/ics-attack/relationship/relationship--8f7ccb2b-de2a-4a5c-9f1e-d5e58e69efa8.json index f8e35190f5..67502ed644 100644 --- a/ics-attack/relationship/relationship--8f7ccb2b-de2a-4a5c-9f1e-d5e58e69efa8.json +++ b/ics-attack/relationship/relationship--8f7ccb2b-de2a-4a5c-9f1e-d5e58e69efa8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e49d7076-d860-4c6e-a09f-0146e376817e", + "id": "bundle--3a42981d-620a-4150-9a80-0ac157255815", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--8f7ccb2b-de2a-4a5c-9f1e-d5e58e69efa8", "created": "2023-03-30T19:00:57.773Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f.json b/ics-attack/relationship/relationship--8f7df0c0-9cc3-4322-847d-1f4ec35dfa65.json similarity index 73% rename from ics-attack/relationship/relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f.json rename to ics-attack/relationship/relationship--8f7df0c0-9cc3-4322-847d-1f4ec35dfa65.json index 5839414d1c..15d0beda49 100644 --- a/ics-attack/relationship/relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f.json +++ b/ics-attack/relationship/relationship--8f7df0c0-9cc3-4322-847d-1f4ec35dfa65.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--9ea3ddde-0f26-42ad-9727-494353963fca", + "id": "bundle--a92e11fd-8d82-4644-a577-598f4e2d4ea9", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f", + "id": "relationship--8f7df0c0-9cc3-4322-847d-1f4ec35dfa65", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--8f90363e-2825-4178-807f-9268a28760fa.json b/ics-attack/relationship/relationship--8f90363e-2825-4178-807f-9268a28760fa.json index 869cb49638..b7ae3df7bf 100644 --- a/ics-attack/relationship/relationship--8f90363e-2825-4178-807f-9268a28760fa.json +++ b/ics-attack/relationship/relationship--8f90363e-2825-4178-807f-9268a28760fa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ccd1690f-f5ef-49a6-82fb-d4a9f3ab789a", + "id": "bundle--274b3479-61fb-4409-85b7-37233ae00397", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8fa6fe89-e704-4be4-a15b-50e188084aa3.json b/ics-attack/relationship/relationship--8fa6fe89-e704-4be4-a15b-50e188084aa3.json index 54730bcb92..07af7654ca 100644 --- a/ics-attack/relationship/relationship--8fa6fe89-e704-4be4-a15b-50e188084aa3.json +++ b/ics-attack/relationship/relationship--8fa6fe89-e704-4be4-a15b-50e188084aa3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--08823adb-2e0d-4a6f-a30c-0181c16133e0", + "id": "bundle--eed60e42-8e3c-458a-8dd1-c0083d6d7985", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8fcecf74-36df-41ab-9476-539c9ac0b339.json b/ics-attack/relationship/relationship--8fcecf74-36df-41ab-9476-539c9ac0b339.json index dc09e61d4b..2f460e8ada 100644 --- a/ics-attack/relationship/relationship--8fcecf74-36df-41ab-9476-539c9ac0b339.json +++ b/ics-attack/relationship/relationship--8fcecf74-36df-41ab-9476-539c9ac0b339.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d4795286-bfb0-4454-87f5-af8fec2d9cd1", + "id": "bundle--36d9681e-f5a4-4262-b04c-4327b98a4f67", "spec_version": "2.0", "objects": [ { @@ -8,6 +8,7 @@ "id": "relationship--8fcecf74-36df-41ab-9476-539c9ac0b339", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "Department of Homeland Security September 2016", @@ -18,14 +19,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:26:11.826Z", - "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "modified": "2026-04-23T20:04:07.019Z", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems.(Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--8fe2bc4c-e9f7-430d-84d5-e3d603141dcb.json b/ics-attack/relationship/relationship--8fe2bc4c-e9f7-430d-84d5-e3d603141dcb.json index 4b7c0975df..343b3d3191 100644 --- a/ics-attack/relationship/relationship--8fe2bc4c-e9f7-430d-84d5-e3d603141dcb.json +++ b/ics-attack/relationship/relationship--8fe2bc4c-e9f7-430d-84d5-e3d603141dcb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dc873e29-d0fa-41a2-a5cf-d442361f0508", + "id": "bundle--babb38f2-df78-456b-aabd-6b9c21ce1cc1", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--8fe2bc4c-e9f7-430d-84d5-e3d603141dcb", "created": "2023-09-29T17:04:17.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:38.724Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", diff --git a/ics-attack/relationship/relationship--9042b73d-5c10-4797-bace-71e49adeebdf.json b/ics-attack/relationship/relationship--9042b73d-5c10-4797-bace-71e49adeebdf.json index d8dc57f90e..88e4254566 100644 --- a/ics-attack/relationship/relationship--9042b73d-5c10-4797-bace-71e49adeebdf.json +++ b/ics-attack/relationship/relationship--9042b73d-5c10-4797-bace-71e49adeebdf.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--78c50f46-1f70-4fff-84c7-c1c594e25ff0", + "id": "bundle--388d25fe-78d2-4ca7-b072-bb3e9c198b4e", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--9042b73d-5c10-4797-bace-71e49adeebdf", "created": "2025-09-24T17:55:03.798Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--90647f03-38a4-4364-a3af-53640a81360e.json b/ics-attack/relationship/relationship--90647f03-38a4-4364-a3af-53640a81360e.json index d07be59345..e2b9e17d69 100644 --- a/ics-attack/relationship/relationship--90647f03-38a4-4364-a3af-53640a81360e.json +++ b/ics-attack/relationship/relationship--90647f03-38a4-4364-a3af-53640a81360e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7fa0431e-e17a-468f-b14b-aa4c70218527", + "id": "bundle--5022b18a-c1ee-4f6c-bc98-c0adde6486c8", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--90647f03-38a4-4364-a3af-53640a81360e", "created": "2023-03-31T18:11:19.943Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Joe Slowik August 2019", diff --git a/ics-attack/relationship/relationship--90d4ef3f-f0d4-40ac-9f63-61242b757a32.json b/ics-attack/relationship/relationship--90d4ef3f-f0d4-40ac-9f63-61242b757a32.json new file mode 100644 index 0000000000..322314f08e --- /dev/null +++ b/ics-attack/relationship/relationship--90d4ef3f-f0d4-40ac-9f63-61242b757a32.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--5cdda826-efd3-46ce-909b-d54ede8ef300", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--90d4ef3f-f0d4-40ac-9f63-61242b757a32", + "created": "2026-04-22T16:39:16.222Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:39:16.222Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--90d9c8e3-0250-4096-8d98-7ca1d324d654.json b/ics-attack/relationship/relationship--90d9c8e3-0250-4096-8d98-7ca1d324d654.json index cb78bd1745..edb5f00323 100644 --- a/ics-attack/relationship/relationship--90d9c8e3-0250-4096-8d98-7ca1d324d654.json +++ b/ics-attack/relationship/relationship--90d9c8e3-0250-4096-8d98-7ca1d324d654.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d030c127-f4e1-4c5c-bad6-7a0fc8b1591e", + "id": "bundle--688b9616-74c4-49f7-aa8d-ad69ce429d8d", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--90d9c8e3-0250-4096-8d98-7ca1d324d654", "created": "2021-04-12T10:12:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", diff --git a/ics-attack/relationship/relationship--90e245ae-a785-4956-be9b-dc4da0b290c5.json b/ics-attack/relationship/relationship--90e245ae-a785-4956-be9b-dc4da0b290c5.json index 51434c6f6c..38e12c9b83 100644 --- a/ics-attack/relationship/relationship--90e245ae-a785-4956-be9b-dc4da0b290c5.json +++ b/ics-attack/relationship/relationship--90e245ae-a785-4956-be9b-dc4da0b290c5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--07229c00-a21e-4f63-9b9c-1f64138a3769", + "id": "bundle--51a5e6c9-cd8f-4b95-af53-c441425a43cf", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--89e95503-b02c-43da-90b3-15584b27e6d6", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", diff --git a/ics-attack/relationship/relationship--910bada1-c923-4009-a9ea-da257072f168.json b/ics-attack/relationship/relationship--910bada1-c923-4009-a9ea-da257072f168.json index fefbe68251..40a78a617b 100644 --- a/ics-attack/relationship/relationship--910bada1-c923-4009-a9ea-da257072f168.json +++ b/ics-attack/relationship/relationship--910bada1-c923-4009-a9ea-da257072f168.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--462f48b9-edb3-42b0-b0f5-ac46bf89e68c", + "id": "bundle--ec2d6747-8faa-4140-9d5d-3c610fff0034", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--910bada1-c923-4009-a9ea-da257072f168", "created": "2023-09-29T16:29:27.902Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:39.456Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--9129c348-431e-45b4-8a7b-7bc71b47732b.json b/ics-attack/relationship/relationship--9129c348-431e-45b4-8a7b-7bc71b47732b.json new file mode 100644 index 0000000000..7572f1a6c9 --- /dev/null +++ b/ics-attack/relationship/relationship--9129c348-431e-45b4-8a7b-7bc71b47732b.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--9d44d8e4-8f1e-4095-8c7f-05d22062cb17", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--9129c348-431e-45b4-8a7b-7bc71b47732b", + "created": "2026-04-22T21:35:09.040Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:35:09.040Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--91501bcb-896f-4bda-9f97-196145646185.json b/ics-attack/relationship/relationship--91501bcb-896f-4bda-9f97-196145646185.json new file mode 100644 index 0000000000..4f875af30c --- /dev/null +++ b/ics-attack/relationship/relationship--91501bcb-896f-4bda-9f97-196145646185.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--0ca851e3-6852-4d8e-a47e-9644ca81be47", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--91501bcb-896f-4bda-9f97-196145646185", + "created": "2026-04-23T00:30:00.479Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:30:00.479Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--91f29477-2ff6-4dbf-bf68-c8825a938851.json b/ics-attack/relationship/relationship--91f29477-2ff6-4dbf-bf68-c8825a938851.json index a85f967822..6d218f7ee6 100644 --- a/ics-attack/relationship/relationship--91f29477-2ff6-4dbf-bf68-c8825a938851.json +++ b/ics-attack/relationship/relationship--91f29477-2ff6-4dbf-bf68-c8825a938851.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--540097a0-65f9-4f77-9dd9-9c9956edc52c", + "id": "bundle--41b83f4c-bd60-4c58-a5b2-d9ce1618d9c0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0.json b/ics-attack/relationship/relationship--92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0.json index 9333839b32..816cc34610 100644 --- a/ics-attack/relationship/relationship--92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0.json +++ b/ics-attack/relationship/relationship--92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--423023d2-869f-4dc5-833a-f66f5e6c4c0c", + "id": "bundle--74d1cbae-c3db-48ef-9ed3-05b34287544f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b.json b/ics-attack/relationship/relationship--9315cc99-8e64-4bdc-99b9-6c8ab9b1f5ce.json similarity index 74% rename from ics-attack/relationship/relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b.json rename to ics-attack/relationship/relationship--9315cc99-8e64-4bdc-99b9-6c8ab9b1f5ce.json index f52851a8d7..f1ffc14faa 100644 --- a/ics-attack/relationship/relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b.json +++ b/ics-attack/relationship/relationship--9315cc99-8e64-4bdc-99b9-6c8ab9b1f5ce.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--544c5701-218b-4845-8d04-e120b8b2ded6", + "id": "bundle--a28f96ca-7700-488f-8a0d-7ac2202386e0", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b", + "id": "relationship--9315cc99-8e64-4bdc-99b9-6c8ab9b1f5ce", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--931e05ae-0fc9-4e37-9c88-063b80fd1d61.json b/ics-attack/relationship/relationship--931e05ae-0fc9-4e37-9c88-063b80fd1d61.json new file mode 100644 index 0000000000..a66e54bf98 --- /dev/null +++ b/ics-attack/relationship/relationship--931e05ae-0fc9-4e37-9c88-063b80fd1d61.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--8070241b-d2ab-4fb9-8f29-72264b9232af", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--931e05ae-0fc9-4e37-9c88-063b80fd1d61", + "created": "2026-04-22T21:43:35.341Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:04:07.023Z", + "description": "Ensure systems and devices have an alternative method for communicating in the event that communication channels become unavailable.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--93489277-7107-4bad-a9d1-2013ef471905.json b/ics-attack/relationship/relationship--93489277-7107-4bad-a9d1-2013ef471905.json new file mode 100644 index 0000000000..0731b4d2b8 --- /dev/null +++ b/ics-attack/relationship/relationship--93489277-7107-4bad-a9d1-2013ef471905.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--7d2ef958-efa9-4e95-82ce-ec3b91fe76a4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--93489277-7107-4bad-a9d1-2013ef471905", + "created": "2026-04-23T14:06:34.173Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T14:06:34.173Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) has the ability to perform scans for TCP port 4840 to identify devices running OPC UA servers.(Citation: Wylie-22)", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--938ff1d4-acce-4e4e-8a9c-be62799dff8e.json b/ics-attack/relationship/relationship--938ff1d4-acce-4e4e-8a9c-be62799dff8e.json index 70fffe9bcf..4bbd690cb3 100644 --- a/ics-attack/relationship/relationship--938ff1d4-acce-4e4e-8a9c-be62799dff8e.json +++ b/ics-attack/relationship/relationship--938ff1d4-acce-4e4e-8a9c-be62799dff8e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d9a77982-6d7d-4199-bb6d-95182b9b29c9", + "id": "bundle--a7b50731-933e-49aa-82e4-f3cb176c1588", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--938ff1d4-acce-4e4e-8a9c-be62799dff8e", "created": "2023-09-29T17:38:40.536Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:40.317Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--9397e373-3be0-4229-b390-fd5ed0482999.json b/ics-attack/relationship/relationship--9397e373-3be0-4229-b390-fd5ed0482999.json index a3522c0399..e5901a2788 100644 --- a/ics-attack/relationship/relationship--9397e373-3be0-4229-b390-fd5ed0482999.json +++ b/ics-attack/relationship/relationship--9397e373-3be0-4229-b390-fd5ed0482999.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5a67e6f1-2d1b-4382-810e-4516054763ba", + "id": "bundle--0b63898c-561d-4b9b-bad9-0c765f88034d", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--9397e373-3be0-4229-b390-fd5ed0482999", "created": "2025-09-24T18:13:57.178Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--93c336f2-7e7c-4c79-af16-faae03e66121.json b/ics-attack/relationship/relationship--93c336f2-7e7c-4c79-af16-faae03e66121.json index 24eb4dfc77..6c95381216 100644 --- a/ics-attack/relationship/relationship--93c336f2-7e7c-4c79-af16-faae03e66121.json +++ b/ics-attack/relationship/relationship--93c336f2-7e7c-4c79-af16-faae03e66121.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c252af33-ce2a-492a-95ad-3fe333fdfcaf", + "id": "bundle--8fc336e0-93a7-4d13-9307-c803e04ad486", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--93c336f2-7e7c-4c79-af16-faae03e66121", "created": "2023-09-29T18:44:09.293Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:40.516Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--943a9a5c-7826-451d-ac73-34353ea40595.json b/ics-attack/relationship/relationship--943a9a5c-7826-451d-ac73-34353ea40595.json index 1d5b167a14..7d64c4434f 100644 --- a/ics-attack/relationship/relationship--943a9a5c-7826-451d-ac73-34353ea40595.json +++ b/ics-attack/relationship/relationship--943a9a5c-7826-451d-ac73-34353ea40595.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--36649b0d-06b0-416c-87c3-d94f0e833171", + "id": "bundle--36ae5285-3a47-4539-9bd1-41c4934f9511", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--943a9a5c-7826-451d-ac73-34353ea40595", "created": "2023-09-29T16:33:36.496Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:40.934Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--94654460-b115-4056-beb1-e982ed33437b.json b/ics-attack/relationship/relationship--94654460-b115-4056-beb1-e982ed33437b.json index a760fe286b..5cc20d1102 100644 --- a/ics-attack/relationship/relationship--94654460-b115-4056-beb1-e982ed33437b.json +++ b/ics-attack/relationship/relationship--94654460-b115-4056-beb1-e982ed33437b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d57fe1b5-ab28-4068-bc55-a67f803771e0", + "id": "bundle--b9ac8827-fcd8-4405-9cbe-36691f5d26ba", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--94654460-b115-4056-beb1-e982ed33437b", "created": "2023-03-30T18:59:46.674Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Keith Stouffer May 2015", diff --git a/ics-attack/relationship/relationship--9515f24c-1c33-4197-b9c9-b9992bc696ca.json b/ics-attack/relationship/relationship--9515f24c-1c33-4197-b9c9-b9992bc696ca.json index 6cac6e42cc..56856a86be 100644 --- a/ics-attack/relationship/relationship--9515f24c-1c33-4197-b9c9-b9992bc696ca.json +++ b/ics-attack/relationship/relationship--9515f24c-1c33-4197-b9c9-b9992bc696ca.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5b198c72-cfc9-4ea9-a99d-46c36ba40855", + "id": "bundle--4377f8c8-3b97-4bea-afcc-8be293ea04ef", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--9515f24c-1c33-4197-b9c9-b9992bc696ca", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", diff --git a/ics-attack/relationship/relationship--9537d9c9-ba0d-42d9-b97d-3b28bfe265e6.json b/ics-attack/relationship/relationship--9537d9c9-ba0d-42d9-b97d-3b28bfe265e6.json index 9356d6b05e..93d7ee411b 100644 --- a/ics-attack/relationship/relationship--9537d9c9-ba0d-42d9-b97d-3b28bfe265e6.json +++ b/ics-attack/relationship/relationship--9537d9c9-ba0d-42d9-b97d-3b28bfe265e6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--649cbd7d-eb5b-4b71-8efd-63d2554dfdd2", + "id": "bundle--111088f4-1407-4da5-a50a-24265db5cbf9", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--9537d9c9-ba0d-42d9-b97d-3b28bfe265e6", "created": "2024-04-09T20:47:47.280Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:42.019Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--954fc7ef-7e8a-446c-82d1-9798d8c00fbe.json b/ics-attack/relationship/relationship--954fc7ef-7e8a-446c-82d1-9798d8c00fbe.json new file mode 100644 index 0000000000..2cd3e6f51d --- /dev/null +++ b/ics-attack/relationship/relationship--954fc7ef-7e8a-446c-82d1-9798d8c00fbe.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--0df1a5c8-f0e6-4f35-828e-240affb1db5b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--954fc7ef-7e8a-446c-82d1-9798d8c00fbe", + "created": "2026-04-22T20:00:48.737Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:20:26.797Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used valid accounts to access Hitatchi RTUs, Mikronika RTUs, Hitachi Relion Protection and Control Relays, Mikronika HMI Computers, and Moxa NPort Serial Device Servers.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--962128bd-13b9-48a6-a4c8-3f07104a962f.json b/ics-attack/relationship/relationship--962128bd-13b9-48a6-a4c8-3f07104a962f.json new file mode 100644 index 0000000000..2732c2c8d5 --- /dev/null +++ b/ics-attack/relationship/relationship--962128bd-13b9-48a6-a4c8-3f07104a962f.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--67a5abd1-8f20-426d-b1f7-75db9999f0b5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--962128bd-13b9-48a6-a4c8-3f07104a962f", + "created": "2026-04-22T16:07:15.471Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:53:41.931Z", + "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--966b59c0-8641-432c-84f7-b2a712004d74.json b/ics-attack/relationship/relationship--966b59c0-8641-432c-84f7-b2a712004d74.json index 319f18863b..32f411990e 100644 --- a/ics-attack/relationship/relationship--966b59c0-8641-432c-84f7-b2a712004d74.json +++ b/ics-attack/relationship/relationship--966b59c0-8641-432c-84f7-b2a712004d74.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bc1f615c-5a72-4617-ae18-866ec4f4f880", + "id": "bundle--ee22cec2-1fef-44d4-8f65-6136eba5e5f0", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--966b59c0-8641-432c-84f7-b2a712004d74", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", diff --git a/ics-attack/relationship/relationship--968830b7-ee80-4a6e-96a4-9fc70470e4a9.json b/ics-attack/relationship/relationship--968830b7-ee80-4a6e-96a4-9fc70470e4a9.json index 8c3b4aaa10..02755dfe0a 100644 --- a/ics-attack/relationship/relationship--968830b7-ee80-4a6e-96a4-9fc70470e4a9.json +++ b/ics-attack/relationship/relationship--968830b7-ee80-4a6e-96a4-9fc70470e4a9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c1d84959-f6f2-4a94-b158-f101af79c9cb", + "id": "bundle--06a3dc56-c5b9-43a0-b043-d5a33280ea69", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--968fd463-fec4-4b2d-b3c9-950d8471b9a8.json b/ics-attack/relationship/relationship--968fd463-fec4-4b2d-b3c9-950d8471b9a8.json index ca56f0b516..c234e8c4da 100644 --- a/ics-attack/relationship/relationship--968fd463-fec4-4b2d-b3c9-950d8471b9a8.json +++ b/ics-attack/relationship/relationship--968fd463-fec4-4b2d-b3c9-950d8471b9a8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b8a2dce9-848d-430d-b7f4-a82ebb594688", + "id": "bundle--eac83a8a-627f-4750-9990-2446fa4f6ec2", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--968fd463-fec4-4b2d-b3c9-950d8471b9a8", "created": "2023-09-28T20:25:30.229Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:42.947Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--9700cbbe-4107-4c4f-b6df-32b9048e370a.json b/ics-attack/relationship/relationship--9700cbbe-4107-4c4f-b6df-32b9048e370a.json new file mode 100644 index 0000000000..48128cdf64 --- /dev/null +++ b/ics-attack/relationship/relationship--9700cbbe-4107-4c4f-b6df-32b9048e370a.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--a2570a38-63f5-426c-8f75-71d8da83f836", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--9700cbbe-4107-4c4f-b6df-32b9048e370a", + "created": "2026-04-20T20:54:21.238Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:21.238Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--973f5884-a076-413e-ac96-f0bd01375fb6.json b/ics-attack/relationship/relationship--973f5884-a076-413e-ac96-f0bd01375fb6.json index 99a15e8bed..eeba9ebe32 100644 --- a/ics-attack/relationship/relationship--973f5884-a076-413e-ac96-f0bd01375fb6.json +++ b/ics-attack/relationship/relationship--973f5884-a076-413e-ac96-f0bd01375fb6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ac4b965e-b82b-4fbe-9803-5bc3bf39ac24", + "id": "bundle--ff4dc796-5d7b-43bf-b76b-2ef2df7541ad", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--973f5884-a076-413e-ac96-f0bd01375fb6", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--97756c8a-b702-472b-8d67-15464a73093e.json b/ics-attack/relationship/relationship--97756c8a-b702-472b-8d67-15464a73093e.json index 7433f8e076..90a41be9b5 100644 --- a/ics-attack/relationship/relationship--97756c8a-b702-472b-8d67-15464a73093e.json +++ b/ics-attack/relationship/relationship--97756c8a-b702-472b-8d67-15464a73093e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2a0883a1-32b9-4a41-8327-4052c6181d60", + "id": "bundle--ce5e932b-35cd-43d0-a758-3beec3a3875f", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--97756c8a-b702-472b-8d67-15464a73093e", "created": "2023-09-27T14:56:28.962Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", diff --git a/ics-attack/relationship/relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204.json b/ics-attack/relationship/relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204.json index 0233dd2dba..d66ad90928 100644 --- a/ics-attack/relationship/relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204.json +++ b/ics-attack/relationship/relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3a98e2f8-dbbb-43b8-8946-86a0cb062c29", + "id": "bundle--82394cee-077c-4064-a47d-0158d9b72091", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--97e20860-29d9-4738-a9a8-6cc3e4db23f1.json b/ics-attack/relationship/relationship--97e20860-29d9-4738-a9a8-6cc3e4db23f1.json index 0979b0d140..ccd9afd0a2 100644 --- a/ics-attack/relationship/relationship--97e20860-29d9-4738-a9a8-6cc3e4db23f1.json +++ b/ics-attack/relationship/relationship--97e20860-29d9-4738-a9a8-6cc3e4db23f1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bb85a02a-8ce7-4286-a353-633189ef1add", + "id": "bundle--b622c182-470a-45d9-a916-321899d4ffe0", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--97e20860-29d9-4738-a9a8-6cc3e4db23f1", "created": "2023-09-29T16:40:54.250Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:44.374Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--97f42cef-bc2a-47c5-b408-8e38aab4030e.json b/ics-attack/relationship/relationship--97f42cef-bc2a-47c5-b408-8e38aab4030e.json index d8a422d00e..99cb379dfe 100644 --- a/ics-attack/relationship/relationship--97f42cef-bc2a-47c5-b408-8e38aab4030e.json +++ b/ics-attack/relationship/relationship--97f42cef-bc2a-47c5-b408-8e38aab4030e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--759b7f2b-2b65-4a69-88a9-5b1a1a7862d5", + "id": "bundle--e56e272f-04dd-46f7-8ca2-13a446dc943f", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--97f42cef-bc2a-47c5-b408-8e38aab4030e", "created": "2023-09-29T16:41:32.631Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:44.581Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--97f863d7-e68a-4cc8-ab3b-a7e9a1cc2319.json b/ics-attack/relationship/relationship--97f863d7-e68a-4cc8-ab3b-a7e9a1cc2319.json index d30486f600..e5a49b6849 100644 --- a/ics-attack/relationship/relationship--97f863d7-e68a-4cc8-ab3b-a7e9a1cc2319.json +++ b/ics-attack/relationship/relationship--97f863d7-e68a-4cc8-ab3b-a7e9a1cc2319.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3ea4238f-3f60-4e86-b02c-495df0c581fc", + "id": "bundle--b8397286-7f3c-4ef2-98c1-23fd8e7b655e", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--97f863d7-e68a-4cc8-ab3b-a7e9a1cc2319", "created": "2023-09-29T18:47:52.800Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:44.807Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--98288d43-50ca-4720-a5e4-f76f07e9f7cd.json b/ics-attack/relationship/relationship--98288d43-50ca-4720-a5e4-f76f07e9f7cd.json new file mode 100644 index 0000000000..7eb7a79ca7 --- /dev/null +++ b/ics-attack/relationship/relationship--98288d43-50ca-4720-a5e4-f76f07e9f7cd.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--86149578-0a7f-4cd3-bdcc-4423ac4f4de1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--98288d43-50ca-4720-a5e4-f76f07e9f7cd", + "created": "2026-04-22T22:49:14.057Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:49:14.057Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--982d0b4f-274a-4738-9262-57fc80d468f9.json b/ics-attack/relationship/relationship--982d0b4f-274a-4738-9262-57fc80d468f9.json index 70cd908667..80b4d990f2 100644 --- a/ics-attack/relationship/relationship--982d0b4f-274a-4738-9262-57fc80d468f9.json +++ b/ics-attack/relationship/relationship--982d0b4f-274a-4738-9262-57fc80d468f9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--30d53cea-8620-4e7f-83e6-d52df824fe68", + "id": "bundle--d5068a7e-76e7-4ff5-b160-ed33a5f8c09e", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--982d0b4f-274a-4738-9262-57fc80d468f9", "created": "2024-03-26T15:41:51.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:45.001Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--983de217-1ea6-483a-a273-ecf950706cd7.json b/ics-attack/relationship/relationship--983de217-1ea6-483a-a273-ecf950706cd7.json index 8636dfd1af..070f4a222e 100644 --- a/ics-attack/relationship/relationship--983de217-1ea6-483a-a273-ecf950706cd7.json +++ b/ics-attack/relationship/relationship--983de217-1ea6-483a-a273-ecf950706cd7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d7e2414b-8b6f-44e2-b0d5-f4f1723a20e6", + "id": "bundle--6fcb1833-f849-40d2-bff3-0cb6d8355cdb", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--519082ce-24ab-4f6b-9e86-b9443758c9d4", "target_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91", diff --git a/ics-attack/relationship/relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2.json b/ics-attack/relationship/relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2.json index 419c1cdf65..a6fe1f6054 100644 --- a/ics-attack/relationship/relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2.json +++ b/ics-attack/relationship/relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--20fd2890-c13c-466d-920e-bc9ce26dc25b", + "id": "bundle--b100a864-f469-4b3d-9e87-d3ba7e8f17c7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--984d517f-56a1-4eb4-95e5-994eb9c6c3b5.json b/ics-attack/relationship/relationship--984d517f-56a1-4eb4-95e5-994eb9c6c3b5.json index ee4829b317..e07ba8eff9 100644 --- a/ics-attack/relationship/relationship--984d517f-56a1-4eb4-95e5-994eb9c6c3b5.json +++ b/ics-attack/relationship/relationship--984d517f-56a1-4eb4-95e5-994eb9c6c3b5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--07c2f2ca-5b64-45d7-88d5-9c5bc52a6a66", + "id": "bundle--1c814d2d-fcaf-4c78-a3e5-bac80f17a176", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--984d517f-56a1-4eb4-95e5-994eb9c6c3b5", "created": "2024-03-27T20:46:21.569Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Mandiant-Sandworm-Ukraine-2022", diff --git a/ics-attack/relationship/relationship--98567b03-7421-4761-8caa-cbea82d89fe3.json b/ics-attack/relationship/relationship--98567b03-7421-4761-8caa-cbea82d89fe3.json index 41c719ed79..e234749c39 100644 --- a/ics-attack/relationship/relationship--98567b03-7421-4761-8caa-cbea82d89fe3.json +++ b/ics-attack/relationship/relationship--98567b03-7421-4761-8caa-cbea82d89fe3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6fdd70d4-2f87-47e8-aeac-90eb4c8444a8", + "id": "bundle--b850a750-6bd3-4ae0-806e-7b43a167afcb", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--98567b03-7421-4761-8caa-cbea82d89fe3", "created": "2024-03-26T15:40:06.457Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--9897bb19-d5bb-4c43-9415-983ba5c5bbe5.json b/ics-attack/relationship/relationship--9897bb19-d5bb-4c43-9415-983ba5c5bbe5.json index 00151ea536..278d2086f8 100644 --- a/ics-attack/relationship/relationship--9897bb19-d5bb-4c43-9415-983ba5c5bbe5.json +++ b/ics-attack/relationship/relationship--9897bb19-d5bb-4c43-9415-983ba5c5bbe5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--49b04c93-2ac3-4898-83e0-a30d8bdd2d24", + "id": "bundle--120ae4e5-ea41-4b66-abe4-7bb48f28a098", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--9897bb19-d5bb-4c43-9415-983ba5c5bbe5", "created": "2025-09-29T19:52:11.047Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--98d7d238-3473-4e3c-adc0-3c8d33341466.json b/ics-attack/relationship/relationship--98d7d238-3473-4e3c-adc0-3c8d33341466.json new file mode 100644 index 0000000000..83c20a3c63 --- /dev/null +++ b/ics-attack/relationship/relationship--98d7d238-3473-4e3c-adc0-3c8d33341466.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--165dc5c8-8f85-4fa6-895c-ea7fdaef29c1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--98d7d238-3473-4e3c-adc0-3c8d33341466", + "created": "2026-04-23T00:26:22.850Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:31:30.672Z", + "description": "ll field controllers should restrict the download of programs, including online edits and program appends, to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--98e109ce-29d8-4711-91c1-a6322b20bd3a.json b/ics-attack/relationship/relationship--98e109ce-29d8-4711-91c1-a6322b20bd3a.json new file mode 100644 index 0000000000..3bc2b8b7da --- /dev/null +++ b/ics-attack/relationship/relationship--98e109ce-29d8-4711-91c1-a6322b20bd3a.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--6d689d4c-13b8-493f-8cb9-e885e4636e48", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--98e109ce-29d8-4711-91c1-a6322b20bd3a", + "created": "2026-04-22T20:16:47.589Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:16:47.589Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5.json b/ics-attack/relationship/relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5.json index 46834e6019..a3e866492b 100644 --- a/ics-attack/relationship/relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5.json +++ b/ics-attack/relationship/relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fd493807-a447-4f6e-a205-56eaa187b678", + "id": "bundle--73eaebc6-e8a6-4588-bdde-96fc22cde2f9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--98f91f4f-050b-43b7-a033-589ec507913f.json b/ics-attack/relationship/relationship--98f91f4f-050b-43b7-a033-589ec507913f.json index 878defb228..07ee832a3b 100644 --- a/ics-attack/relationship/relationship--98f91f4f-050b-43b7-a033-589ec507913f.json +++ b/ics-attack/relationship/relationship--98f91f4f-050b-43b7-a033-589ec507913f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--26480b83-5478-48fc-9f17-f3476fa0a01c", + "id": "bundle--286ca253-5928-46f1-8b13-7e4cb5faa691", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--442bf059-f7cf-460b-8200-f35e1e0a0c78", "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", diff --git a/ics-attack/relationship/relationship--9902691c-aaf2-48a1-b1ca-cd6f652ae1c6.json b/ics-attack/relationship/relationship--9902691c-aaf2-48a1-b1ca-cd6f652ae1c6.json index 685379a4cf..0ac8ae12c0 100644 --- a/ics-attack/relationship/relationship--9902691c-aaf2-48a1-b1ca-cd6f652ae1c6.json +++ b/ics-attack/relationship/relationship--9902691c-aaf2-48a1-b1ca-cd6f652ae1c6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f0e5655e-62fe-42a9-97e3-2784a94e57f2", + "id": "bundle--4ab4f4e1-e5b0-4948-9f7a-6afbb249255f", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--9902691c-aaf2-48a1-b1ca-cd6f652ae1c6", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", diff --git a/ics-attack/relationship/relationship--990f944f-190d-456d-b194-f5ecb17a0868.json b/ics-attack/relationship/relationship--990f944f-190d-456d-b194-f5ecb17a0868.json index ebab81bd6a..638b96d3b6 100644 --- a/ics-attack/relationship/relationship--990f944f-190d-456d-b194-f5ecb17a0868.json +++ b/ics-attack/relationship/relationship--990f944f-190d-456d-b194-f5ecb17a0868.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dc33265c-6ce4-40ef-a3d5-405b72d19c2d", + "id": "bundle--9713d0d5-7206-4496-903b-0c42a9ebef54", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--990f944f-190d-456d-b194-f5ecb17a0868", "created": "2019-06-24T17:20:24.258Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Catalin Cimpanu April 2016", diff --git a/ics-attack/relationship/relationship--9951eb11-8140-420d-8e2d-56fbe0ff0134.json b/ics-attack/relationship/relationship--9951eb11-8140-420d-8e2d-56fbe0ff0134.json index e19425a132..e1fa9c810f 100644 --- a/ics-attack/relationship/relationship--9951eb11-8140-420d-8e2d-56fbe0ff0134.json +++ b/ics-attack/relationship/relationship--9951eb11-8140-420d-8e2d-56fbe0ff0134.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3fa53296-237a-4097-b9c8-71367c271479", + "id": "bundle--6692aaca-272f-4cec-bdff-8ec3d271c78c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--9951eb11-8140-420d-8e2d-56fbe0ff0134", "created": "2023-09-29T18:03:23.576Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:46.711Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--f5c9f641-a498-46b5-9068-39502db53cfd.json b/ics-attack/relationship/relationship--99d2eeab-8ace-41c9-b47d-4058dd906136.json similarity index 71% rename from ics-attack/relationship/relationship--f5c9f641-a498-46b5-9068-39502db53cfd.json rename to ics-attack/relationship/relationship--99d2eeab-8ace-41c9-b47d-4058dd906136.json index d15b35048e..25cff412ab 100644 --- a/ics-attack/relationship/relationship--f5c9f641-a498-46b5-9068-39502db53cfd.json +++ b/ics-attack/relationship/relationship--99d2eeab-8ace-41c9-b47d-4058dd906136.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--66b6acf3-a015-4a50-9b71-641955bd9229", + "id": "bundle--984d3382-2f15-48b6-9804-908cf94a1f55", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--f5c9f641-a498-46b5-9068-39502db53cfd", + "id": "relationship--99d2eeab-8ace-41c9-b47d-4058dd906136", "created": "2023-09-28T20:10:55.590Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:30.721Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "source_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--99ec0a8e-4a4f-427c-89db-163e4b206021.json b/ics-attack/relationship/relationship--99ec0a8e-4a4f-427c-89db-163e4b206021.json index f7a9caebae..12715e47a8 100644 --- a/ics-attack/relationship/relationship--99ec0a8e-4a4f-427c-89db-163e4b206021.json +++ b/ics-attack/relationship/relationship--99ec0a8e-4a4f-427c-89db-163e4b206021.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ce6c8180-6498-43d2-aa90-3be29d5fb433", + "id": "bundle--4493fda8-3079-4117-bed1-95bb203d32b4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--99f84b91-32a1-4ade-8de5-5d2a0359302f.json b/ics-attack/relationship/relationship--99f84b91-32a1-4ade-8de5-5d2a0359302f.json index 5b508e27b7..600193d593 100644 --- a/ics-attack/relationship/relationship--99f84b91-32a1-4ade-8de5-5d2a0359302f.json +++ b/ics-attack/relationship/relationship--99f84b91-32a1-4ade-8de5-5d2a0359302f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--795ba6a0-4c23-4b7a-a2e2-90ce2c3f12b2", + "id": "bundle--608ad10a-0ad0-4d7e-b031-797a5a452451", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--99f84b91-32a1-4ade-8de5-5d2a0359302f", "created": "2023-09-28T19:56:54.642Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:47.341Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886.json b/ics-attack/relationship/relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886.json index 5a2a7c2619..af840b93f3 100644 --- a/ics-attack/relationship/relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886.json +++ b/ics-attack/relationship/relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0a325c17-5a3f-4840-9707-06020c9c517e", + "id": "bundle--49aa7974-8f7e-41f2-a4a0-fb22a06a93da", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9a55e351-d3b7-460a-9a9d-6714c00db5f0.json b/ics-attack/relationship/relationship--9a55e351-d3b7-460a-9a9d-6714c00db5f0.json index 89fafef92b..a5ecde5a2d 100644 --- a/ics-attack/relationship/relationship--9a55e351-d3b7-460a-9a9d-6714c00db5f0.json +++ b/ics-attack/relationship/relationship--9a55e351-d3b7-460a-9a9d-6714c00db5f0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7b9573a7-a823-4acc-b47d-6231715f8286", + "id": "bundle--3b19b1b7-48e9-4195-8960-673a2ae9dfe5", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--9a55e351-d3b7-460a-9a9d-6714c00db5f0", "created": "2024-03-25T19:59:09.628Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "CISA AA23-335A IRGC-Affiliated December 2023", diff --git a/ics-attack/relationship/relationship--9a607f89-85b8-4fba-8eb7-7e4900ea693f.json b/ics-attack/relationship/relationship--9a607f89-85b8-4fba-8eb7-7e4900ea693f.json index 25f60de6e9..c980f53bf8 100644 --- a/ics-attack/relationship/relationship--9a607f89-85b8-4fba-8eb7-7e4900ea693f.json +++ b/ics-attack/relationship/relationship--9a607f89-85b8-4fba-8eb7-7e4900ea693f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b6c5f63f-90dc-40ed-9644-f06973556f49", + "id": "bundle--a6beba8b-9581-4033-b518-e83084dec213", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9aacca46-bf65-4247-b14c-65359d1b47db.json b/ics-attack/relationship/relationship--9aacca46-bf65-4247-b14c-65359d1b47db.json new file mode 100644 index 0000000000..4311c8fe21 --- /dev/null +++ b/ics-attack/relationship/relationship--9aacca46-bf65-4247-b14c-65359d1b47db.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--2cc8690c-79be-4a65-9030-707089671d6c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--9aacca46-bf65-4247-b14c-65359d1b47db", + "created": "2026-04-23T00:40:25.161Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T20:10:03.995Z", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.(Citation: Department of Homeland Security September 2016)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--9abf0914-2508-4717-9f1a-8f209c2d20a3.json b/ics-attack/relationship/relationship--9abf0914-2508-4717-9f1a-8f209c2d20a3.json index f7ae564318..075f3655a5 100644 --- a/ics-attack/relationship/relationship--9abf0914-2508-4717-9f1a-8f209c2d20a3.json +++ b/ics-attack/relationship/relationship--9abf0914-2508-4717-9f1a-8f209c2d20a3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5d85f771-522b-43ca-b9bb-39a83eec4ccd", + "id": "bundle--e50d1cf6-9ba2-4eae-a297-fe3a95434377", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--9abf0914-2508-4717-9f1a-8f209c2d20a3", "created": "2025-09-24T17:55:33.001Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--9b0b3c25-d87c-452a-a2f9-241234410eb8.json b/ics-attack/relationship/relationship--9b0b3c25-d87c-452a-a2f9-241234410eb8.json index 9e2c8e9d1d..10a0a001b3 100644 --- a/ics-attack/relationship/relationship--9b0b3c25-d87c-452a-a2f9-241234410eb8.json +++ b/ics-attack/relationship/relationship--9b0b3c25-d87c-452a-a2f9-241234410eb8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6b128fe7-8d2f-433e-bae4-a4f00ba998e1", + "id": "bundle--5f0d2144-1233-44e8-af55-26cee05d2430", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--9b0b3c25-d87c-452a-a2f9-241234410eb8", "created": "2023-09-29T18:58:05.958Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:48.878Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", diff --git a/ics-attack/relationship/relationship--9b412b1f-2dd0-4e7f-8364-f625181ba1db.json b/ics-attack/relationship/relationship--9b412b1f-2dd0-4e7f-8364-f625181ba1db.json index 02713adcff..9e6832a9c7 100644 --- a/ics-attack/relationship/relationship--9b412b1f-2dd0-4e7f-8364-f625181ba1db.json +++ b/ics-attack/relationship/relationship--9b412b1f-2dd0-4e7f-8364-f625181ba1db.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bc11c922-de8c-4551-ad57-a6c22a620344", + "id": "bundle--f19d19f0-9c02-4600-89a8-cd5fa90b044e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9b7bc0f3-c7cf-47e4-a3ed-0f91e01831ca.json b/ics-attack/relationship/relationship--9b7bc0f3-c7cf-47e4-a3ed-0f91e01831ca.json new file mode 100644 index 0000000000..2e2e8ebb00 --- /dev/null +++ b/ics-attack/relationship/relationship--9b7bc0f3-c7cf-47e4-a3ed-0f91e01831ca.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--11c27479-1570-46ef-bcd1-3771ea9e9f95", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--9b7bc0f3-c7cf-47e4-a3ed-0f91e01831ca", + "created": "2026-04-23T00:06:49.258Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T20:07:18.485Z", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems.(Citation: Department of Homeland Security September 2016)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--46332a77-2fd6-4033-96cf-6163172775ec.json b/ics-attack/relationship/relationship--9b802cf9-03e4-414f-af09-fc108e96839c.json similarity index 74% rename from ics-attack/relationship/relationship--46332a77-2fd6-4033-96cf-6163172775ec.json rename to ics-attack/relationship/relationship--9b802cf9-03e4-414f-af09-fc108e96839c.json index 77ec9ffefa..e6a957b69a 100644 --- a/ics-attack/relationship/relationship--46332a77-2fd6-4033-96cf-6163172775ec.json +++ b/ics-attack/relationship/relationship--9b802cf9-03e4-414f-af09-fc108e96839c.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--56d2148f-0c1d-443c-9cd8-68379ef09333", + "id": "bundle--4e56ced8-7b1f-4ee6-8380-5900b362790c", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--46332a77-2fd6-4033-96cf-6163172775ec", + "id": "relationship--9b802cf9-03e4-414f-af09-fc108e96839c", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "Devices should verify that firmware has been properly signed by the vendor before allowing installation.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--9b825e77-2b18-4bc8-8e1d-5f645d570dca.json b/ics-attack/relationship/relationship--9b825e77-2b18-4bc8-8e1d-5f645d570dca.json index 15f5ac1626..118b3e2df1 100644 --- a/ics-attack/relationship/relationship--9b825e77-2b18-4bc8-8e1d-5f645d570dca.json +++ b/ics-attack/relationship/relationship--9b825e77-2b18-4bc8-8e1d-5f645d570dca.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dafd815a-e1a6-4b68-a82c-1b03573bfc16", + "id": "bundle--23cfb506-ee77-4424-a568-3364aacf3b8f", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--9b825e77-2b18-4bc8-8e1d-5f645d570dca", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos Xenotime 2018", diff --git a/ics-attack/relationship/relationship--9ba6c904-d1bd-46dd-95fb-6da58333fa40.json b/ics-attack/relationship/relationship--9ba6c904-d1bd-46dd-95fb-6da58333fa40.json new file mode 100644 index 0000000000..6794c51f7e --- /dev/null +++ b/ics-attack/relationship/relationship--9ba6c904-d1bd-46dd-95fb-6da58333fa40.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--e83cfc15-850c-4d93-af3a-2940f9f332fc", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--9ba6c904-d1bd-46dd-95fb-6da58333fa40", + "created": "2026-04-22T13:57:38.576Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:35:41.060Z", + "description": "Devices should authenticate all messages between master and outstation assets.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--9bb98efc-3712-4df3-a1a4-8dfefd2983fa.json b/ics-attack/relationship/relationship--9bb98efc-3712-4df3-a1a4-8dfefd2983fa.json index c444a54732..e2e75c2e3b 100644 --- a/ics-attack/relationship/relationship--9bb98efc-3712-4df3-a1a4-8dfefd2983fa.json +++ b/ics-attack/relationship/relationship--9bb98efc-3712-4df3-a1a4-8dfefd2983fa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0890e726-f8f4-41b1-b938-32627bc3b1e8", + "id": "bundle--02158be8-dd76-434d-aa2f-6c250083436e", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--58b4bda4-d69a-4a20-ab67-308c4451a5e8", "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", diff --git a/ics-attack/relationship/relationship--9c23121e-14bb-4382-b54d-2ea02a2815b5.json b/ics-attack/relationship/relationship--9c23121e-14bb-4382-b54d-2ea02a2815b5.json index ac11d492d3..7660c34929 100644 --- a/ics-attack/relationship/relationship--9c23121e-14bb-4382-b54d-2ea02a2815b5.json +++ b/ics-attack/relationship/relationship--9c23121e-14bb-4382-b54d-2ea02a2815b5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3a028cce-b754-4229-aa3f-1172969484d1", + "id": "bundle--2ffcdaeb-1cf3-4026-9d27-60429bf756ee", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--9c23121e-14bb-4382-b54d-2ea02a2815b5", "created": "2023-09-28T19:59:44.009Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:49.859Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--9ca97ea4-faf6-484c-bccf-311c282bed02.json b/ics-attack/relationship/relationship--9ca97ea4-faf6-484c-bccf-311c282bed02.json index d0a4cafbf5..d9478a5f4e 100644 --- a/ics-attack/relationship/relationship--9ca97ea4-faf6-484c-bccf-311c282bed02.json +++ b/ics-attack/relationship/relationship--9ca97ea4-faf6-484c-bccf-311c282bed02.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c8a24291-47b2-4ce1-a7e6-4e4ea4ede21e", + "id": "bundle--bcb19232-44fe-46c0-b7c8-ea322dde4d86", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--9ca97ea4-faf6-484c-bccf-311c282bed02", "created": "2025-09-29T21:57:09.083Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--9cca3120-c95e-4f5e-bc4b-0521ab5cc512.json b/ics-attack/relationship/relationship--9cca3120-c95e-4f5e-bc4b-0521ab5cc512.json index 0a0c7f3d36..5045d7f61c 100644 --- a/ics-attack/relationship/relationship--9cca3120-c95e-4f5e-bc4b-0521ab5cc512.json +++ b/ics-attack/relationship/relationship--9cca3120-c95e-4f5e-bc4b-0521ab5cc512.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--361ca5a1-9f1f-4f4a-9532-260420f30d5d", + "id": "bundle--e7927bfe-b8aa-441d-ac24-928cff686b24", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9ce25235-ad56-4158-a392-31ef70b10c2a.json b/ics-attack/relationship/relationship--9ce25235-ad56-4158-a392-31ef70b10c2a.json index b8e765d63c..222b8b7f0e 100644 --- a/ics-attack/relationship/relationship--9ce25235-ad56-4158-a392-31ef70b10c2a.json +++ b/ics-attack/relationship/relationship--9ce25235-ad56-4158-a392-31ef70b10c2a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--40a60f45-9490-4c13-a755-c70dba31e0ac", + "id": "bundle--6c532994-2dbc-4d09-ae40-cb9df6306400", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--9ce25235-ad56-4158-a392-31ef70b10c2a", "created": "2025-09-29T19:52:49.261Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--af25cacc-6b1a-47d2-8e13-cb2a7e92b379.json b/ics-attack/relationship/relationship--9cfee66a-96e2-4dd9-b046-19f3562b3112.json similarity index 71% rename from ics-attack/relationship/relationship--af25cacc-6b1a-47d2-8e13-cb2a7e92b379.json rename to ics-attack/relationship/relationship--9cfee66a-96e2-4dd9-b046-19f3562b3112.json index a7e1543aa4..7fb23486f8 100644 --- a/ics-attack/relationship/relationship--af25cacc-6b1a-47d2-8e13-cb2a7e92b379.json +++ b/ics-attack/relationship/relationship--9cfee66a-96e2-4dd9-b046-19f3562b3112.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--dce198a8-d004-4789-bf37-b406afffb666", + "id": "bundle--8e9bbe75-d0ef-4ba7-bd2c-37c9b65e9242", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--af25cacc-6b1a-47d2-8e13-cb2a7e92b379", + "id": "relationship--9cfee66a-96e2-4dd9-b046-19f3562b3112", "created": "2023-09-28T21:17:32.313Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:10.410Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "source_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--9d10209f-077c-4d25-87e9-c1ea423a528f.json b/ics-attack/relationship/relationship--9d10209f-077c-4d25-87e9-c1ea423a528f.json new file mode 100644 index 0000000000..bbb1268b9f --- /dev/null +++ b/ics-attack/relationship/relationship--9d10209f-077c-4d25-87e9-c1ea423a528f.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--fa6fd419-ac40-4437-b344-2cb506864b63", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--9d10209f-077c-4d25-87e9-c1ea423a528f", + "created": "2026-04-22T20:19:16.164Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:19:16.164Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--bb141168-ae41-4974-8ece-dc9b63e59237", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--9d463aef-aa70-4375-9ed3-4b0387ba70e6.json b/ics-attack/relationship/relationship--9d463aef-aa70-4375-9ed3-4b0387ba70e6.json new file mode 100644 index 0000000000..063ff392b6 --- /dev/null +++ b/ics-attack/relationship/relationship--9d463aef-aa70-4375-9ed3-4b0387ba70e6.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--fe31ea7a-b91e-44cf-bce9-fc412be566f6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--9d463aef-aa70-4375-9ed3-4b0387ba70e6", + "created": "2026-04-23T00:38:38.695Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:31:43.196Z", + "description": "ll field controllers should restrict the download of programs, including online edits and program appends, to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f61e474c-d7be-411e-a30e-0a1ef872fe51.json b/ics-attack/relationship/relationship--9d69d936-58a0-4453-8424-40fcc7bc2e1c.json similarity index 71% rename from ics-attack/relationship/relationship--f61e474c-d7be-411e-a30e-0a1ef872fe51.json rename to ics-attack/relationship/relationship--9d69d936-58a0-4453-8424-40fcc7bc2e1c.json index 8490b61f02..dd3f64152b 100644 --- a/ics-attack/relationship/relationship--f61e474c-d7be-411e-a30e-0a1ef872fe51.json +++ b/ics-attack/relationship/relationship--9d69d936-58a0-4453-8424-40fcc7bc2e1c.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--704ea8c3-b238-43c1-906e-9a96105032c6", + "id": "bundle--de537439-2568-4657-94db-37e74fe1b3d4", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--f61e474c-d7be-411e-a30e-0a1ef872fe51", + "id": "relationship--9d69d936-58a0-4453-8424-40fcc7bc2e1c", "created": "2023-09-29T17:05:20.132Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:31.104Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--9d6f9bba-dd79-4cb6-a0f3-1284e58a6236.json b/ics-attack/relationship/relationship--9d6f9bba-dd79-4cb6-a0f3-1284e58a6236.json index 2062b02426..eda9f3dc1f 100644 --- a/ics-attack/relationship/relationship--9d6f9bba-dd79-4cb6-a0f3-1284e58a6236.json +++ b/ics-attack/relationship/relationship--9d6f9bba-dd79-4cb6-a0f3-1284e58a6236.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2efbf7ba-6da7-4d6d-9eb6-3dcc390893a5", + "id": "bundle--3db4f71b-367d-46ad-88b8-5dd44e61a12c", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--9d6f9bba-dd79-4cb6-a0f3-1284e58a6236", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", diff --git a/ics-attack/relationship/relationship--9db1ecfe-72eb-42da-a09e-746663a53854.json b/ics-attack/relationship/relationship--9db1ecfe-72eb-42da-a09e-746663a53854.json index ec99359cf9..1dad1fa1ad 100644 --- a/ics-attack/relationship/relationship--9db1ecfe-72eb-42da-a09e-746663a53854.json +++ b/ics-attack/relationship/relationship--9db1ecfe-72eb-42da-a09e-746663a53854.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8f33853a-f643-4ff2-b600-4d2a05f2d890", + "id": "bundle--79276a2e-6275-417a-a9bc-6a1c86382f19", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--9db1ecfe-72eb-42da-a09e-746663a53854", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "MDudek-ICS", diff --git a/ics-attack/relationship/relationship--d648b3c7-77d2-42f3-a367-620621b714ab.json b/ics-attack/relationship/relationship--9e44709f-7068-4a2e-935b-44b309b76acd.json similarity index 71% rename from ics-attack/relationship/relationship--d648b3c7-77d2-42f3-a367-620621b714ab.json rename to ics-attack/relationship/relationship--9e44709f-7068-4a2e-935b-44b309b76acd.json index 07394461fe..a7970a4132 100644 --- a/ics-attack/relationship/relationship--d648b3c7-77d2-42f3-a367-620621b714ab.json +++ b/ics-attack/relationship/relationship--9e44709f-7068-4a2e-935b-44b309b76acd.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--7b6117e8-712e-4153-8227-5537690ccd13", + "id": "bundle--091c25ed-2568-44ba-a7fd-d2f7088cab1c", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--d648b3c7-77d2-42f3-a367-620621b714ab", + "id": "relationship--9e44709f-7068-4a2e-935b-44b309b76acd", "created": "2023-09-28T21:11:29.314Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:56.117Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--9e98d88c-4138-4d0e-8db0-cddf956ab500.json b/ics-attack/relationship/relationship--9e98d88c-4138-4d0e-8db0-cddf956ab500.json index 1dc75955de..fabe50799a 100644 --- a/ics-attack/relationship/relationship--9e98d88c-4138-4d0e-8db0-cddf956ab500.json +++ b/ics-attack/relationship/relationship--9e98d88c-4138-4d0e-8db0-cddf956ab500.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6d5af837-5654-4b93-ac01-03b906c77bd7", + "id": "bundle--17b36942-b86e-4eb2-9c77-00de1e4e84d2", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--9e98d88c-4138-4d0e-8db0-cddf956ab500", "created": "2023-09-29T18:07:28.902Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:52.125Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--9f07c92a-78a0-438a-8cb2-01e2bddaeb42.json b/ics-attack/relationship/relationship--9f07c92a-78a0-438a-8cb2-01e2bddaeb42.json index 7720c86d55..6e63cfc711 100644 --- a/ics-attack/relationship/relationship--9f07c92a-78a0-438a-8cb2-01e2bddaeb42.json +++ b/ics-attack/relationship/relationship--9f07c92a-78a0-438a-8cb2-01e2bddaeb42.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9f54e7cd-5816-483c-9d87-37c6a5d26411", + "id": "bundle--6a2e66f6-f341-426b-b9d4-353bfd937c4d", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--9f07c92a-78a0-438a-8cb2-01e2bddaeb42", "created": "2021-01-04T21:30:14.830Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "ESET Industroyer", diff --git a/ics-attack/relationship/relationship--9f2926a2-596f-459e-827e-6fe2d4646efd.json b/ics-attack/relationship/relationship--9f2926a2-596f-459e-827e-6fe2d4646efd.json index 4bbaee0928..7367ca3f44 100644 --- a/ics-attack/relationship/relationship--9f2926a2-596f-459e-827e-6fe2d4646efd.json +++ b/ics-attack/relationship/relationship--9f2926a2-596f-459e-827e-6fe2d4646efd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--aaac8845-133c-4a6d-b3f7-92810888cf31", + "id": "bundle--af3d44a7-cb46-4e17-b339-c003c9d48937", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--9f2926a2-596f-459e-827e-6fe2d4646efd", "created": "2023-09-29T18:06:46.756Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:52.641Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--9f2f9cba-b7fc-45cb-8e66-e2f8f99ebe35.json b/ics-attack/relationship/relationship--9f2f9cba-b7fc-45cb-8e66-e2f8f99ebe35.json index 4a2fbe36d1..f2352d196d 100644 --- a/ics-attack/relationship/relationship--9f2f9cba-b7fc-45cb-8e66-e2f8f99ebe35.json +++ b/ics-attack/relationship/relationship--9f2f9cba-b7fc-45cb-8e66-e2f8f99ebe35.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--77cf586f-be82-429f-b154-972efc124518", + "id": "bundle--c3486c6d-b123-4d1b-b371-1ad1c55edd77", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--9f2f9cba-b7fc-45cb-8e66-e2f8f99ebe35", "created": "2025-09-29T19:01:58.777Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--9f43126d-5f6c-42a9-9908-49175c27ead7.json b/ics-attack/relationship/relationship--9f43126d-5f6c-42a9-9908-49175c27ead7.json index 629da63487..6b94b0b7d7 100644 --- a/ics-attack/relationship/relationship--9f43126d-5f6c-42a9-9908-49175c27ead7.json +++ b/ics-attack/relationship/relationship--9f43126d-5f6c-42a9-9908-49175c27ead7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--135afc1c-23c1-4f98-95e8-f5a9cc9efb2d", + "id": "bundle--463883d9-a4ac-437c-abe8-f7392cc85c1d", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--9f43126d-5f6c-42a9-9908-49175c27ead7", "created": "2023-03-30T19:27:26.398Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Industroyer2 ESET April 2022", diff --git a/ics-attack/relationship/relationship--9fa6797f-f2cb-4b93-b8eb-f40936e967f3.json b/ics-attack/relationship/relationship--9fa6797f-f2cb-4b93-b8eb-f40936e967f3.json index 30b009a330..e99f09d1c0 100644 --- a/ics-attack/relationship/relationship--9fa6797f-f2cb-4b93-b8eb-f40936e967f3.json +++ b/ics-attack/relationship/relationship--9fa6797f-f2cb-4b93-b8eb-f40936e967f3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7c2adf6c-ae8c-4607-98b0-62322b20bcdc", + "id": "bundle--9a211b21-077c-42d6-a46e-a4637fc35029", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--9fa6797f-f2cb-4b93-b8eb-f40936e967f3", "created": "2023-09-28T21:12:14.470Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:52.949Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--9ffbf620-8e1f-4542-a271-9a3692db9a47.json b/ics-attack/relationship/relationship--9ffbf620-8e1f-4542-a271-9a3692db9a47.json index 3c0913ba47..4e20051023 100644 --- a/ics-attack/relationship/relationship--9ffbf620-8e1f-4542-a271-9a3692db9a47.json +++ b/ics-attack/relationship/relationship--9ffbf620-8e1f-4542-a271-9a3692db9a47.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c3ddcc69-304b-476d-a21d-54b78f51b786", + "id": "bundle--4dccf773-069e-427c-ab7e-6827c4387316", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--9ffbf620-8e1f-4542-a271-9a3692db9a47", "created": "2023-09-28T20:04:19.147Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:53.610Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--a0151b8f-30ee-49da-8365-17f34eab0825.json b/ics-attack/relationship/relationship--a0151b8f-30ee-49da-8365-17f34eab0825.json index ad3de1e22b..40cfae0dc2 100644 --- a/ics-attack/relationship/relationship--a0151b8f-30ee-49da-8365-17f34eab0825.json +++ b/ics-attack/relationship/relationship--a0151b8f-30ee-49da-8365-17f34eab0825.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--112378a9-510e-4aef-8be2-401c9e38af7f", + "id": "bundle--669bb0bc-58a5-4633-9ae9-4c315ea9fe01", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--a0151b8f-30ee-49da-8365-17f34eab0825", "created": "2025-09-24T18:23:29.097Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--a016cddb-5cd8-485b-a207-9860e9ec0a02.json b/ics-attack/relationship/relationship--a016cddb-5cd8-485b-a207-9860e9ec0a02.json new file mode 100644 index 0000000000..a866f7f862 --- /dev/null +++ b/ics-attack/relationship/relationship--a016cddb-5cd8-485b-a207-9860e9ec0a02.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--9f2521f1-b943-46a7-82a1-3f88169bb9f6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a016cddb-5cd8-485b-a207-9860e9ec0a02", + "created": "2026-04-23T00:02:30.922Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:02:30.922Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a04169ed-c16b-466b-80ef-22a11067f475.json b/ics-attack/relationship/relationship--a04169ed-c16b-466b-80ef-22a11067f475.json index bf54703394..061c5a26c1 100644 --- a/ics-attack/relationship/relationship--a04169ed-c16b-466b-80ef-22a11067f475.json +++ b/ics-attack/relationship/relationship--a04169ed-c16b-466b-80ef-22a11067f475.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--19f71f27-12b3-45aa-b9d4-486aa60f84b6", + "id": "bundle--1122702e-0ba6-4e73-bb3d-0dac15b4cb55", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--a04169ed-c16b-466b-80ef-22a11067f475", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", diff --git a/ics-attack/relationship/relationship--68d30c45-766f-48b6-9405-0c969243332b.json b/ics-attack/relationship/relationship--a05f4a7a-eebb-463a-97e6-1088b94fa78b.json similarity index 78% rename from ics-attack/relationship/relationship--68d30c45-766f-48b6-9405-0c969243332b.json rename to ics-attack/relationship/relationship--a05f4a7a-eebb-463a-97e6-1088b94fa78b.json index 165fe4b987..a7b1b51f1b 100644 --- a/ics-attack/relationship/relationship--68d30c45-766f-48b6-9405-0c969243332b.json +++ b/ics-attack/relationship/relationship--a05f4a7a-eebb-463a-97e6-1088b94fa78b.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--8e096ee1-d3cd-405e-8739-d8a39d42f880", + "id": "bundle--4af1a64f-4309-4ae7-9eea-71f1827ed8f8", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--68d30c45-766f-48b6-9405-0c969243332b", + "id": "relationship--a05f4a7a-eebb-463a-97e6-1088b94fa78b", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--aff2fb40-9ef5-42c9-bc7a-4939b509fbf1.json b/ics-attack/relationship/relationship--a07f265e-e04e-496c-b1bd-65f57b85a491.json similarity index 71% rename from ics-attack/relationship/relationship--aff2fb40-9ef5-42c9-bc7a-4939b509fbf1.json rename to ics-attack/relationship/relationship--a07f265e-e04e-496c-b1bd-65f57b85a491.json index 639586b91d..adb709f1be 100644 --- a/ics-attack/relationship/relationship--aff2fb40-9ef5-42c9-bc7a-4939b509fbf1.json +++ b/ics-attack/relationship/relationship--a07f265e-e04e-496c-b1bd-65f57b85a491.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--1d07b9ce-479f-48b8-a89c-d763d9aaa197", + "id": "bundle--5345465b-82df-4671-97b7-e91697f0b4a2", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--aff2fb40-9ef5-42c9-bc7a-4939b509fbf1", + "id": "relationship--a07f265e-e04e-496c-b1bd-65f57b85a491", "created": "2023-09-29T16:40:30.440Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:11.511Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2.json b/ics-attack/relationship/relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2.json index 85553520e4..019bbf4263 100644 --- a/ics-attack/relationship/relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2.json +++ b/ics-attack/relationship/relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--85518757-2a72-43ce-a034-c70e43d3aa98", + "id": "bundle--4076309e-755a-44e1-98f7-efe3b2b42d43", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a1383f2a-2ee2-47df-a661-8904a7535e0c.json b/ics-attack/relationship/relationship--a1383f2a-2ee2-47df-a661-8904a7535e0c.json index c6f07d7d2a..163709fdcc 100644 --- a/ics-attack/relationship/relationship--a1383f2a-2ee2-47df-a661-8904a7535e0c.json +++ b/ics-attack/relationship/relationship--a1383f2a-2ee2-47df-a661-8904a7535e0c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a975e0b4-4854-4a5c-b0c4-dd6b9f06c860", + "id": "bundle--78b3397c-c726-4bf8-9c60-115bbf1d564a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a15d718f-af30-4745-a837-887ba8f48727.json b/ics-attack/relationship/relationship--a15d718f-af30-4745-a837-887ba8f48727.json index 57b3604403..f9a04260b6 100644 --- a/ics-attack/relationship/relationship--a15d718f-af30-4745-a837-887ba8f48727.json +++ b/ics-attack/relationship/relationship--a15d718f-af30-4745-a837-887ba8f48727.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--508236e3-c31d-4153-b3f9-45999b940c66", + "id": "bundle--0c533a85-d3f7-49cd-a706-c47e3e09faea", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--a15d718f-af30-4745-a837-887ba8f48727", "created": "2023-09-29T16:30:46.705Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:54.855Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--a1cbbdb5-30ad-4139-9784-e5a134f8d405.json b/ics-attack/relationship/relationship--a1cbbdb5-30ad-4139-9784-e5a134f8d405.json index 56123250c7..df52781304 100644 --- a/ics-attack/relationship/relationship--a1cbbdb5-30ad-4139-9784-e5a134f8d405.json +++ b/ics-attack/relationship/relationship--a1cbbdb5-30ad-4139-9784-e5a134f8d405.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4f17a9fb-f862-411b-90bf-e11b13aeb015", + "id": "bundle--6419db44-67ee-4d84-9beb-dcf125e4a810", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--a1cbbdb5-30ad-4139-9784-e5a134f8d405", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos Inc. June 2017", diff --git a/ics-attack/relationship/relationship--a1d2df14-6f44-44ac-99c2-3e3f55f53476.json b/ics-attack/relationship/relationship--a1d2df14-6f44-44ac-99c2-3e3f55f53476.json index 19a080da3b..77049a4439 100644 --- a/ics-attack/relationship/relationship--a1d2df14-6f44-44ac-99c2-3e3f55f53476.json +++ b/ics-attack/relationship/relationship--a1d2df14-6f44-44ac-99c2-3e3f55f53476.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f1fdd5e5-6ffe-48ba-815f-85b9935cc765", + "id": "bundle--e2101b74-80e2-4eeb-ab41-26a0b575a643", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--a1d2df14-6f44-44ac-99c2-3e3f55f53476", "created": "2023-09-29T16:43:16.472Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:55.269Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--a1d99bbc-8d7c-4263-a909-95a9507b43c3.json b/ics-attack/relationship/relationship--a1d99bbc-8d7c-4263-a909-95a9507b43c3.json index d4ae080c0d..60cdf82f29 100644 --- a/ics-attack/relationship/relationship--a1d99bbc-8d7c-4263-a909-95a9507b43c3.json +++ b/ics-attack/relationship/relationship--a1d99bbc-8d7c-4263-a909-95a9507b43c3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6bb8e424-8a81-4e90-8e07-57b5d9f1bd7d", + "id": "bundle--07e2ea11-5973-4884-a79d-ba90cffe02e9", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--a1d99bbc-8d7c-4263-a909-95a9507b43c3", "created": "2023-09-29T16:28:17.629Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:55.467Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22.json b/ics-attack/relationship/relationship--a1e6b6f0-b13c-48a0-b62d-12dfb80112ad.json similarity index 74% rename from ics-attack/relationship/relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22.json rename to ics-attack/relationship/relationship--a1e6b6f0-b13c-48a0-b62d-12dfb80112ad.json index 03882256f1..22d7069638 100644 --- a/ics-attack/relationship/relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22.json +++ b/ics-attack/relationship/relationship--a1e6b6f0-b13c-48a0-b62d-12dfb80112ad.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--e3ecdbd2-32e6-4cd1-9457-c53a82c2a39f", + "id": "bundle--b98285d5-a9db-44b1-8a3b-fce111d9ff04", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22", + "id": "relationship--a1e6b6f0-b13c-48a0-b62d-12dfb80112ad", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a20bde51-3ed9-4306-92cd-f4f12d3aa8aa.json b/ics-attack/relationship/relationship--a20bde51-3ed9-4306-92cd-f4f12d3aa8aa.json index 44906201af..edf915c065 100644 --- a/ics-attack/relationship/relationship--a20bde51-3ed9-4306-92cd-f4f12d3aa8aa.json +++ b/ics-attack/relationship/relationship--a20bde51-3ed9-4306-92cd-f4f12d3aa8aa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--79a5b023-89b8-41ad-a1e3-acca6c0c5625", + "id": "bundle--ec6844c8-25bd-43ea-8de3-bd4dfc094478", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--f1a7e304-d05f-4e48-89b7-8b034f507c32", "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", diff --git a/ics-attack/relationship/relationship--a221bbb3-5f4f-4879-ae1d-37e8d3022039.json b/ics-attack/relationship/relationship--a221bbb3-5f4f-4879-ae1d-37e8d3022039.json index 3dab09ce1e..9d84bd9e27 100644 --- a/ics-attack/relationship/relationship--a221bbb3-5f4f-4879-ae1d-37e8d3022039.json +++ b/ics-attack/relationship/relationship--a221bbb3-5f4f-4879-ae1d-37e8d3022039.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e0a6ca80-e737-4766-9a1e-de965c6f0445", + "id": "bundle--2dd6439b-ae26-4ef5-b413-3596f286ce64", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--a221bbb3-5f4f-4879-ae1d-37e8d3022039", "created": "2023-09-28T21:16:05.517Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:55.878Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--a22fabd2-836e-4141-9219-c76cc10138ec.json b/ics-attack/relationship/relationship--a22fabd2-836e-4141-9219-c76cc10138ec.json index 395f9a432f..53199ab7af 100644 --- a/ics-attack/relationship/relationship--a22fabd2-836e-4141-9219-c76cc10138ec.json +++ b/ics-attack/relationship/relationship--a22fabd2-836e-4141-9219-c76cc10138ec.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5c9d6e32-1f20-4fb6-9959-495202e601ab", + "id": "bundle--5d81c8c4-122f-4952-9df8-cc1d4f6db68c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a23297f1-58b9-48f4-8289-e81c34d9a522.json b/ics-attack/relationship/relationship--a23297f1-58b9-48f4-8289-e81c34d9a522.json new file mode 100644 index 0000000000..463a1c5c1f --- /dev/null +++ b/ics-attack/relationship/relationship--a23297f1-58b9-48f4-8289-e81c34d9a522.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--76542087-f957-4d9d-9518-51e6e00b68e1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a23297f1-58b9-48f4-8289-e81c34d9a522", + "created": "2026-04-23T00:05:58.225Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:35:02.270Z", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a23aefa6-15f5-481c-ac3d-09b8e4b3003b.json b/ics-attack/relationship/relationship--a23aefa6-15f5-481c-ac3d-09b8e4b3003b.json index 14d25b0010..9464dff31d 100644 --- a/ics-attack/relationship/relationship--a23aefa6-15f5-481c-ac3d-09b8e4b3003b.json +++ b/ics-attack/relationship/relationship--a23aefa6-15f5-481c-ac3d-09b8e4b3003b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--141f3d8e-fc61-42f0-8d64-423d78c9494f", + "id": "bundle--97a39283-b39a-4ef7-a8a7-c61c0ba0b8ff", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--a23aefa6-15f5-481c-ac3d-09b8e4b3003b", "created": "2023-09-29T16:44:03.912Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:56.284Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--a287bc05-20cb-4476-ba1f-15bfde6e601d.json b/ics-attack/relationship/relationship--a287bc05-20cb-4476-ba1f-15bfde6e601d.json index 1522d70ba6..60f91cb165 100644 --- a/ics-attack/relationship/relationship--a287bc05-20cb-4476-ba1f-15bfde6e601d.json +++ b/ics-attack/relationship/relationship--a287bc05-20cb-4476-ba1f-15bfde6e601d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--759ca136-aed1-48dc-9481-7acae8101dc9", + "id": "bundle--5eb6a2a3-1fee-4e04-9422-22bd43031eb5", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--a287bc05-20cb-4476-ba1f-15bfde6e601d", "created": "2023-09-29T18:04:05.993Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:56.481Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--a2f0b9ba-2d6e-43a5-adca-3ec42dba5ce9.json b/ics-attack/relationship/relationship--a2f0b9ba-2d6e-43a5-adca-3ec42dba5ce9.json index 447626367e..9d0944423f 100644 --- a/ics-attack/relationship/relationship--a2f0b9ba-2d6e-43a5-adca-3ec42dba5ce9.json +++ b/ics-attack/relationship/relationship--a2f0b9ba-2d6e-43a5-adca-3ec42dba5ce9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0933ccc1-7f8b-4d98-b605-c98e76eb0308", + "id": "bundle--9002a2db-f57f-42f8-9f87-9a21454be881", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--a2f0b9ba-2d6e-43a5-adca-3ec42dba5ce9", "created": "2023-09-29T16:36:28.818Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:56.945Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--9d5e2e86-8499-4051-93fc-c959ff1b6577.json b/ics-attack/relationship/relationship--a31d48c1-785e-4587-a102-d910054143fb.json similarity index 78% rename from ics-attack/relationship/relationship--9d5e2e86-8499-4051-93fc-c959ff1b6577.json rename to ics-attack/relationship/relationship--a31d48c1-785e-4587-a102-d910054143fb.json index 87a4711945..ff797a7fa5 100644 --- a/ics-attack/relationship/relationship--9d5e2e86-8499-4051-93fc-c959ff1b6577.json +++ b/ics-attack/relationship/relationship--a31d48c1-785e-4587-a102-d910054143fb.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--02c50ff3-8a82-42e6-997c-6cafe6db027d", + "id": "bundle--eea3e1fc-7591-47e4-9caf-3e25aa573929", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--9d5e2e86-8499-4051-93fc-c959ff1b6577", + "id": "relationship--a31d48c1-785e-4587-a102-d910054143fb", "created": "2025-09-24T18:22:30.026Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -14,7 +14,7 @@ ], "modified": "2025-09-24T18:22:30.026Z", "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", "target_ref": "x-mitre-asset--bb141168-ae41-4974-8ece-dc9b63e59237", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, diff --git a/ics-attack/relationship/relationship--a3447ec8-3224-4485-9324-cdc77231aaa5.json b/ics-attack/relationship/relationship--a3447ec8-3224-4485-9324-cdc77231aaa5.json index 8507eba519..cf56d026e8 100644 --- a/ics-attack/relationship/relationship--a3447ec8-3224-4485-9324-cdc77231aaa5.json +++ b/ics-attack/relationship/relationship--a3447ec8-3224-4485-9324-cdc77231aaa5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9de4e456-1cb7-4f5d-8223-593155b97103", + "id": "bundle--d2a3f896-cbaa-417a-bfdd-a8228f611b29", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--930b268b-abf0-485f-9854-60c1cfdd2d33", "target_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d", diff --git a/ics-attack/relationship/relationship--a36492bd-175a-4c39-9c56-32d06660dd05.json b/ics-attack/relationship/relationship--a36492bd-175a-4c39-9c56-32d06660dd05.json index 79708329b5..cd6cd78d24 100644 --- a/ics-attack/relationship/relationship--a36492bd-175a-4c39-9c56-32d06660dd05.json +++ b/ics-attack/relationship/relationship--a36492bd-175a-4c39-9c56-32d06660dd05.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d5bb9775-87ad-43c1-9ec5-ce8f8f9044b1", + "id": "bundle--3038209f-deff-494c-9464-fe922682c54f", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--a36492bd-175a-4c39-9c56-32d06660dd05", "created": "2025-09-29T19:08:51.819Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--a3971be9-7bef-4663-b6c3-3cffc418f76b.json b/ics-attack/relationship/relationship--a3971be9-7bef-4663-b6c3-3cffc418f76b.json new file mode 100644 index 0000000000..8446b658b7 --- /dev/null +++ b/ics-attack/relationship/relationship--a3971be9-7bef-4663-b6c3-3cffc418f76b.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--9833663b-17d9-4f50-bb2d-ae8295f035a6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a3971be9-7bef-4663-b6c3-3cffc418f76b", + "created": "2026-04-22T16:08:28.721Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:54:12.470Z", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a3c8ede9-78d4-49c0-b1f2-16257c940189.json b/ics-attack/relationship/relationship--a3c8ede9-78d4-49c0-b1f2-16257c940189.json new file mode 100644 index 0000000000..65493432cb --- /dev/null +++ b/ics-attack/relationship/relationship--a3c8ede9-78d4-49c0-b1f2-16257c940189.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--8f2139d4-ef4d-4bf9-b9a3-f4670f07498f", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a3c8ede9-78d4-49c0-b1f2-16257c940189", + "created": "2026-04-22T22:51:49.356Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:51:49.356Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--234da455-b795-4788-bc5d-22b4b58b2dc7.json b/ics-attack/relationship/relationship--a3df8609-d9c4-4ef0-9a58-8d7155fba4f7.json similarity index 74% rename from ics-attack/relationship/relationship--234da455-b795-4788-bc5d-22b4b58b2dc7.json rename to ics-attack/relationship/relationship--a3df8609-d9c4-4ef0-9a58-8d7155fba4f7.json index 653b358a59..d412d829d0 100644 --- a/ics-attack/relationship/relationship--234da455-b795-4788-bc5d-22b4b58b2dc7.json +++ b/ics-attack/relationship/relationship--a3df8609-d9c4-4ef0-9a58-8d7155fba4f7.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--cfef358e-3938-454c-86f9-63fc5853aee5", + "id": "bundle--12b3feaf-16b2-491e-aaed-227fddac77a7", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--234da455-b795-4788-bc5d-22b4b58b2dc7", + "id": "relationship--a3df8609-d9c4-4ef0-9a58-8d7155fba4f7", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c4718fa2-2592-44b0-87d0-f866c118a779.json b/ics-attack/relationship/relationship--a3f1ae82-b279-41ec-828e-40e969c7b165.json similarity index 71% rename from ics-attack/relationship/relationship--c4718fa2-2592-44b0-87d0-f866c118a779.json rename to ics-attack/relationship/relationship--a3f1ae82-b279-41ec-828e-40e969c7b165.json index 9aa097e980..c661040b89 100644 --- a/ics-attack/relationship/relationship--c4718fa2-2592-44b0-87d0-f866c118a779.json +++ b/ics-attack/relationship/relationship--a3f1ae82-b279-41ec-828e-40e969c7b165.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--28b7d8ad-2cae-44bc-8d7c-85e2a77dd086", + "id": "bundle--a166b1c6-5ba1-4874-b7bd-d1e0b192c51b", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--c4718fa2-2592-44b0-87d0-f866c118a779", + "id": "relationship--a3f1ae82-b279-41ec-828e-40e969c7b165", "created": "2023-09-29T18:07:09.213Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:35.331Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "source_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a3f258ea-6d4d-4b0e-8ff2-b91f49dfd4d7.json b/ics-attack/relationship/relationship--a3f258ea-6d4d-4b0e-8ff2-b91f49dfd4d7.json index 9441caafa4..ef240b5447 100644 --- a/ics-attack/relationship/relationship--a3f258ea-6d4d-4b0e-8ff2-b91f49dfd4d7.json +++ b/ics-attack/relationship/relationship--a3f258ea-6d4d-4b0e-8ff2-b91f49dfd4d7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dc03c03a-edf0-48c4-a8df-077dcae547e8", + "id": "bundle--ac1a5061-8a47-418a-9545-b6b729706806", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--a3f258ea-6d4d-4b0e-8ff2-b91f49dfd4d7", "created": "2023-09-29T16:39:54.248Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:57.163Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--a3fb7c3c-7064-43d2-849c-2a5893583de9.json b/ics-attack/relationship/relationship--a3fb7c3c-7064-43d2-849c-2a5893583de9.json new file mode 100644 index 0000000000..ff63080e16 --- /dev/null +++ b/ics-attack/relationship/relationship--a3fb7c3c-7064-43d2-849c-2a5893583de9.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--3280724b-c542-4a7a-ab2d-df39f6520f35", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a3fb7c3c-7064-43d2-849c-2a5893583de9", + "created": "2026-04-22T22:37:55.075Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:17:29.121Z", + "description": "Segment operational networks to isolate critical systems and devices that do not require broad network access.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a43e516e-603f-4863-a315-17c998b2f6f8.json b/ics-attack/relationship/relationship--a43e516e-603f-4863-a315-17c998b2f6f8.json new file mode 100644 index 0000000000..28b0d64bb1 --- /dev/null +++ b/ics-attack/relationship/relationship--a43e516e-603f-4863-a315-17c998b2f6f8.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--31c61a93-361a-4f28-9c84-936ff712368a", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a43e516e-603f-4863-a315-17c998b2f6f8", + "created": "2026-04-22T13:29:01.989Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T13:29:01.989Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a466d5b4-39f0-48c1-9a19-f006dc4cb0ac.json b/ics-attack/relationship/relationship--a466d5b4-39f0-48c1-9a19-f006dc4cb0ac.json index 8fcd58d174..97269bcd07 100644 --- a/ics-attack/relationship/relationship--a466d5b4-39f0-48c1-9a19-f006dc4cb0ac.json +++ b/ics-attack/relationship/relationship--a466d5b4-39f0-48c1-9a19-f006dc4cb0ac.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--025cac9b-1c0e-43f0-9307-e7d05842d3b9", + "id": "bundle--3002fad0-4725-4262-8b57-8b4c31779c97", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--a466d5b4-39f0-48c1-9a19-f006dc4cb0ac", "created": "2023-09-29T17:40:58.726Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:57.565Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--a48f58bc-4119-4399-b7d1-7e44b867399d.json b/ics-attack/relationship/relationship--a48f58bc-4119-4399-b7d1-7e44b867399d.json new file mode 100644 index 0000000000..b1defcb4ac --- /dev/null +++ b/ics-attack/relationship/relationship--a48f58bc-4119-4399-b7d1-7e44b867399d.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--1aa6d847-a74d-4238-8509-90cfdded9dcf", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a48f58bc-4119-4399-b7d1-7e44b867399d", + "created": "2026-04-22T16:38:52.943Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:38:52.943Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a4c64fbc-bac4-44b8-ba52-8fcfa3f674e5.json b/ics-attack/relationship/relationship--a4c64fbc-bac4-44b8-ba52-8fcfa3f674e5.json index 9e39eae022..1d75f6b778 100644 --- a/ics-attack/relationship/relationship--a4c64fbc-bac4-44b8-ba52-8fcfa3f674e5.json +++ b/ics-attack/relationship/relationship--a4c64fbc-bac4-44b8-ba52-8fcfa3f674e5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--972af383-8584-476f-9ab6-68f1cf1e3001", + "id": "bundle--a66583f2-8e2d-4cae-9200-8798f8f2da81", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--a4c64fbc-bac4-44b8-ba52-8fcfa3f674e5", "created": "2023-09-29T17:40:08.922Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:58.166Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--a4c81fe6-1ad9-4bba-a415-a3c099eaa2be.json b/ics-attack/relationship/relationship--a4c81fe6-1ad9-4bba-a415-a3c099eaa2be.json index 145eb7b0f1..7ac580fd3f 100644 --- a/ics-attack/relationship/relationship--a4c81fe6-1ad9-4bba-a415-a3c099eaa2be.json +++ b/ics-attack/relationship/relationship--a4c81fe6-1ad9-4bba-a415-a3c099eaa2be.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5f4905f9-02fa-4b79-a436-8c17cbb812af", + "id": "bundle--a304ffe5-885d-4c0f-97e0-3e46da9c0f08", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--a4c81fe6-1ad9-4bba-a415-a3c099eaa2be", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", diff --git a/ics-attack/relationship/relationship--a4da9bf3-d9da-4bc3-bb59-a5d17fa53b20.json b/ics-attack/relationship/relationship--a4da9bf3-d9da-4bc3-bb59-a5d17fa53b20.json new file mode 100644 index 0000000000..4aaba34928 --- /dev/null +++ b/ics-attack/relationship/relationship--a4da9bf3-d9da-4bc3-bb59-a5d17fa53b20.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--a004bf7c-b272-4505-b452-fbeb82bb29e4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a4da9bf3-d9da-4bc3-bb59-a5d17fa53b20", + "created": "2026-04-22T20:46:51.429Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:46:51.429Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--56bf71a3-a28b-4a8f-84ed-3a71449d47c0", + "target_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a4e9cd0c-75aa-47ec-9fdc-ad9dd8935af2.json b/ics-attack/relationship/relationship--a4e9cd0c-75aa-47ec-9fdc-ad9dd8935af2.json index 73b70686b9..e3e35af93b 100644 --- a/ics-attack/relationship/relationship--a4e9cd0c-75aa-47ec-9fdc-ad9dd8935af2.json +++ b/ics-attack/relationship/relationship--a4e9cd0c-75aa-47ec-9fdc-ad9dd8935af2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0be1287d-698f-43e9-a9a7-60b384f38a67", + "id": "bundle--262725e3-bc62-4183-b3a8-c0782dc784b2", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--a4e9cd0c-75aa-47ec-9fdc-ad9dd8935af2", "created": "2025-09-29T19:07:27.830Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--a57b233b-6613-4f78-aa48-e85518aaa7cf.json b/ics-attack/relationship/relationship--a57b233b-6613-4f78-aa48-e85518aaa7cf.json index 9f44b0c532..c28cfab1f2 100644 --- a/ics-attack/relationship/relationship--a57b233b-6613-4f78-aa48-e85518aaa7cf.json +++ b/ics-attack/relationship/relationship--a57b233b-6613-4f78-aa48-e85518aaa7cf.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b0686ee4-1c34-42b7-83c2-590bc77a9de7", + "id": "bundle--f6d9866c-b6dc-4f4e-954e-9b5273ac9f47", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--a57b233b-6613-4f78-aa48-e85518aaa7cf", "created": "2023-09-27T14:45:26.126Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", diff --git a/ics-attack/relationship/relationship--a5b4b91c-0f68-4b88-bd6f-ab226ae9b5f0.json b/ics-attack/relationship/relationship--a5b4b91c-0f68-4b88-bd6f-ab226ae9b5f0.json new file mode 100644 index 0000000000..78697d90f8 --- /dev/null +++ b/ics-attack/relationship/relationship--a5b4b91c-0f68-4b88-bd6f-ab226ae9b5f0.json @@ -0,0 +1,42 @@ +{ + "type": "bundle", + "id": "bundle--a05d53ab-b68a-4efb-b430-9125f2633cde", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a5b4b91c-0f68-4b88-bd6f-ab226ae9b5f0", + "created": "2026-04-22T22:21:44.462Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "LockerGoga Revisited", + "description": "Joe Slowik. (2020, March 17). Spyware Stealer Locker Wiper: LockerGoga Revisited. Retrieved April 22, 2026.", + "url": "https://www.dragos.com/blog/industry-news/spyware-stealer-locker-wiper-lockergoga-revisited/" + }, + { + "source_name": "Kevin Beaumont", + "description": "Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ", + "url": "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880" + }, + { + "source_name": "Detecting LockerGoga", + "description": "Oleg Kolesnikov and Harshvardhan Parashar. (2019, April 30). Detecting LockerGoga Targeted IT/OT Cyber Sabotage/Ransomware Attacks. Retrieved April 22, 2026.", + "url": "https://www.securonix.com/wp-content/uploads/2021/07/Securonix-Threat-Research-Report-Detecting-LockerGoga.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T18:39:02.307Z", + "description": "[LockerGoga](https://attack.mitre.org/software/S0372) has disabled all the network interfaces on the system via netsh.exe to include Wi-Fi.(Citation: LockerGoga Revisited)(Citation: Kevin Beaumont)(Citation: Detecting LockerGoga)", + "relationship_type": "uses", + "source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", + "target_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a61fa979-f701-4dbe-b040-397b152ac14f.json b/ics-attack/relationship/relationship--a61fa979-f701-4dbe-b040-397b152ac14f.json new file mode 100644 index 0000000000..d2fea069f1 --- /dev/null +++ b/ics-attack/relationship/relationship--a61fa979-f701-4dbe-b040-397b152ac14f.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--d9355bed-156a-4cca-908e-5fc9d8fd38af", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a61fa979-f701-4dbe-b040-397b152ac14f", + "created": "2026-04-23T00:37:53.519Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T20:09:02.705Z", + "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a6277ff6-9cdf-484f-a902-3f9442039905.json b/ics-attack/relationship/relationship--a6277ff6-9cdf-484f-a902-3f9442039905.json index 2689c08934..b7025f66b7 100644 --- a/ics-attack/relationship/relationship--a6277ff6-9cdf-484f-a902-3f9442039905.json +++ b/ics-attack/relationship/relationship--a6277ff6-9cdf-484f-a902-3f9442039905.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6755d4e9-0d96-436c-8733-56d4e55ba7e7", + "id": "bundle--461efb47-a03b-42b9-a76e-35704c215ec9", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--a6277ff6-9cdf-484f-a902-3f9442039905", "created": "2024-09-11T22:55:18.833Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Claroty Fuxnet 2024", diff --git a/ics-attack/relationship/relationship--a6479493-6154-408f-90df-9d2f3ae352d1.json b/ics-attack/relationship/relationship--a6479493-6154-408f-90df-9d2f3ae352d1.json index e4089fda31..7a2f2e23de 100644 --- a/ics-attack/relationship/relationship--a6479493-6154-408f-90df-9d2f3ae352d1.json +++ b/ics-attack/relationship/relationship--a6479493-6154-408f-90df-9d2f3ae352d1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--37975b91-20d0-451e-b089-08ed690b2b4e", + "id": "bundle--427d881b-ae17-4f54-8668-7bd67fbf08b0", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--a6479493-6154-408f-90df-9d2f3ae352d1", "created": "2023-03-31T17:46:01.470Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos Crashoverride 2018", diff --git a/ics-attack/relationship/relationship--a6519c11-e9d4-4b6f-8d92-8efaa2144c28.json b/ics-attack/relationship/relationship--a6519c11-e9d4-4b6f-8d92-8efaa2144c28.json index 7e6004696c..74bf8f4336 100644 --- a/ics-attack/relationship/relationship--a6519c11-e9d4-4b6f-8d92-8efaa2144c28.json +++ b/ics-attack/relationship/relationship--a6519c11-e9d4-4b6f-8d92-8efaa2144c28.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--daff2a78-69af-4eb6-be5b-8af3384effb0", + "id": "bundle--65834319-d291-459b-951e-d7f668b3f1eb", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--a6519c11-e9d4-4b6f-8d92-8efaa2144c28", "created": "2021-04-13T12:28:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Davey Winder June 2020", diff --git a/ics-attack/relationship/relationship--a6d8b66d-fc10-404f-b0ae-e8c66506b818.json b/ics-attack/relationship/relationship--a6d8b66d-fc10-404f-b0ae-e8c66506b818.json index a176e98c7a..6d72d3e0d2 100644 --- a/ics-attack/relationship/relationship--a6d8b66d-fc10-404f-b0ae-e8c66506b818.json +++ b/ics-attack/relationship/relationship--a6d8b66d-fc10-404f-b0ae-e8c66506b818.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0a3327eb-b2a3-472c-bc68-cbd366bd6831", + "id": "bundle--ca06f7f1-92a6-456d-8cc3-e00c61fd47ad", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--a6d8b66d-fc10-404f-b0ae-e8c66506b818", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", diff --git a/ics-attack/relationship/relationship--a6e404c9-7b12-4403-8f2a-2815b8b87372.json b/ics-attack/relationship/relationship--a6e404c9-7b12-4403-8f2a-2815b8b87372.json index 0302b0233f..54be9f4449 100644 --- a/ics-attack/relationship/relationship--a6e404c9-7b12-4403-8f2a-2815b8b87372.json +++ b/ics-attack/relationship/relationship--a6e404c9-7b12-4403-8f2a-2815b8b87372.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--90a13ee0-2a5c-4a1b-82b4-598c5cdc400d", + "id": "bundle--651bc8eb-861a-47a8-98d6-4a966c2481e3", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--441ded70-7e25-47f1-b55c-0fafb7d4f44c", "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", diff --git a/ics-attack/relationship/relationship--a6e9bbe1-3e59-45c0-987a-b5354d602dc7.json b/ics-attack/relationship/relationship--a6e9bbe1-3e59-45c0-987a-b5354d602dc7.json index 7508ed4fc4..c0a813180f 100644 --- a/ics-attack/relationship/relationship--a6e9bbe1-3e59-45c0-987a-b5354d602dc7.json +++ b/ics-attack/relationship/relationship--a6e9bbe1-3e59-45c0-987a-b5354d602dc7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bd4c6200-e528-4861-ad36-66867237111a", + "id": "bundle--3715bde3-9fd1-4c4a-a8f5-8c5b8b0c8199", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--a6e9bbe1-3e59-45c0-987a-b5354d602dc7", "created": "2023-09-29T17:05:56.185Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:59.902Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", diff --git a/ics-attack/relationship/relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc.json b/ics-attack/relationship/relationship--a6ebd61b-7845-4694-9860-2e8998f2841f.json similarity index 76% rename from ics-attack/relationship/relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc.json rename to ics-attack/relationship/relationship--a6ebd61b-7845-4694-9860-2e8998f2841f.json index a3ef6de601..63dbd68c33 100644 --- a/ics-attack/relationship/relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc.json +++ b/ics-attack/relationship/relationship--a6ebd61b-7845-4694-9860-2e8998f2841f.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--b4dafb2e-2d76-4987-8ff1-8c116c91e1fc", + "id": "bundle--21756772-1662-4f55-9b93-d41898351446", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc", + "id": "relationship--a6ebd61b-7845-4694-9860-2e8998f2841f", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "target_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a717ccc7-0fe6-4a83-951f-5a89037ed927.json b/ics-attack/relationship/relationship--a717ccc7-0fe6-4a83-951f-5a89037ed927.json index 64bf28c0d5..36f16b37a4 100644 --- a/ics-attack/relationship/relationship--a717ccc7-0fe6-4a83-951f-5a89037ed927.json +++ b/ics-attack/relationship/relationship--a717ccc7-0fe6-4a83-951f-5a89037ed927.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6d9c14d2-1355-4fb6-ae1e-b6dd39a722d9", + "id": "bundle--5fd3a226-0d8d-46ea-87b7-60e916fc9097", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--a717ccc7-0fe6-4a83-951f-5a89037ed927", "created": "2023-03-30T14:08:06.442Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Department of Homeland Security October 2009", diff --git a/ics-attack/relationship/relationship--a72c212f-6d4f-4c5d-873d-afa42021024c.json b/ics-attack/relationship/relationship--a72c212f-6d4f-4c5d-873d-afa42021024c.json index a9def39b0f..289d35553d 100644 --- a/ics-attack/relationship/relationship--a72c212f-6d4f-4c5d-873d-afa42021024c.json +++ b/ics-attack/relationship/relationship--a72c212f-6d4f-4c5d-873d-afa42021024c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1b8ba090-8972-474a-8cf0-be8af0bb277e", + "id": "bundle--6568d8c2-c9ce-4262-ac2b-c6668de293c6", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--a72c212f-6d4f-4c5d-873d-afa42021024c", "created": "2024-03-26T15:42:10.203Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:00.313Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--a7333752-af0d-42e0-88e5-7c1134e6e6c8.json b/ics-attack/relationship/relationship--a7333752-af0d-42e0-88e5-7c1134e6e6c8.json new file mode 100644 index 0000000000..96df3c2ef1 --- /dev/null +++ b/ics-attack/relationship/relationship--a7333752-af0d-42e0-88e5-7c1134e6e6c8.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--2ac905a1-a76e-4588-b229-d27ca916d891", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a7333752-af0d-42e0-88e5-7c1134e6e6c8", + "created": "2026-04-20T20:54:25.517Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:25.517Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f10611e9-4812-4780-a1d5-0ad537dd95fb.json b/ics-attack/relationship/relationship--a7649bd4-5b10-4d55-adaf-228e31472dff.json similarity index 71% rename from ics-attack/relationship/relationship--f10611e9-4812-4780-a1d5-0ad537dd95fb.json rename to ics-attack/relationship/relationship--a7649bd4-5b10-4d55-adaf-228e31472dff.json index 28c78713d0..4f5b680450 100644 --- a/ics-attack/relationship/relationship--f10611e9-4812-4780-a1d5-0ad537dd95fb.json +++ b/ics-attack/relationship/relationship--a7649bd4-5b10-4d55-adaf-228e31472dff.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--ed74e1fe-2497-433c-989b-03bb1c8564f0", + "id": "bundle--ef28c4e7-0264-41f1-9bc3-8e071ed4d463", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--f10611e9-4812-4780-a1d5-0ad537dd95fb", + "id": "relationship--a7649bd4-5b10-4d55-adaf-228e31472dff", "created": "2023-09-28T21:23:01.421Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:25.902Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a78e727c-8e42-448c-beb4-463804e18be0.json b/ics-attack/relationship/relationship--a78e727c-8e42-448c-beb4-463804e18be0.json index 62c2d9d36e..e1896d15b0 100644 --- a/ics-attack/relationship/relationship--a78e727c-8e42-448c-beb4-463804e18be0.json +++ b/ics-attack/relationship/relationship--a78e727c-8e42-448c-beb4-463804e18be0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--107ef3d5-1d80-4547-9f92-12e395f463cb", + "id": "bundle--a16c9b5b-1b49-410c-8cfa-fe4e3af53c33", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a78fc081-051a-45ca-91c2-c3f29325cbf2.json b/ics-attack/relationship/relationship--a78fc081-051a-45ca-91c2-c3f29325cbf2.json new file mode 100644 index 0000000000..0e521b0907 --- /dev/null +++ b/ics-attack/relationship/relationship--a78fc081-051a-45ca-91c2-c3f29325cbf2.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--f66140c1-d2db-4dba-9ed9-d947486d1975", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a78fc081-051a-45ca-91c2-c3f29325cbf2", + "created": "2026-04-22T13:53:34.402Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T13:53:34.402Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a7a2790e-d5ba-4a46-bde3-c698c6ae52ac.json b/ics-attack/relationship/relationship--a7a2790e-d5ba-4a46-bde3-c698c6ae52ac.json index 1423d597f0..76a071a257 100644 --- a/ics-attack/relationship/relationship--a7a2790e-d5ba-4a46-bde3-c698c6ae52ac.json +++ b/ics-attack/relationship/relationship--a7a2790e-d5ba-4a46-bde3-c698c6ae52ac.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9d188c35-7722-4eb4-b48c-9d71180cbbeb", + "id": "bundle--20637fc2-fcc8-44a5-800b-20d396bc576d", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--a7a2790e-d5ba-4a46-bde3-c698c6ae52ac", "created": "2023-09-28T19:41:16.927Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:01.326Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f.json b/ics-attack/relationship/relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f.json index e38afa17b1..86749a23a1 100644 --- a/ics-attack/relationship/relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f.json +++ b/ics-attack/relationship/relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--45039250-2638-48aa-8424-ed971659c81e", + "id": "bundle--6c25d26b-ab9c-46ef-bd2b-d4a06fa9ba5c", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e.json b/ics-attack/relationship/relationship--a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e.json index 3d4da20130..fdc1bfb8c0 100644 --- a/ics-attack/relationship/relationship--a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e.json +++ b/ics-attack/relationship/relationship--a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--569de8da-597d-4ce4-9261-d9f2cf11dbb8", + "id": "bundle--ce0018ac-7fd1-440c-ab5a-06b787df35af", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a846dbe5-9ef3-4fb6-93d5-f764671a75c8.json b/ics-attack/relationship/relationship--a846dbe5-9ef3-4fb6-93d5-f764671a75c8.json index fbe9a087c5..5b7f8a5ac1 100644 --- a/ics-attack/relationship/relationship--a846dbe5-9ef3-4fb6-93d5-f764671a75c8.json +++ b/ics-attack/relationship/relationship--a846dbe5-9ef3-4fb6-93d5-f764671a75c8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3c12312c-a644-47d2-b64d-ba56e8b8a252", + "id": "bundle--12504f11-d34b-46c4-8f75-2579a815c3e3", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--a846dbe5-9ef3-4fb6-93d5-f764671a75c8", "created": "2021-04-11T14:06:54.109Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "ICS CERT September 2018", diff --git a/ics-attack/relationship/relationship--a847aa03-ea56-47d1-8f4e-f9e0dd9707a0.json b/ics-attack/relationship/relationship--a847aa03-ea56-47d1-8f4e-f9e0dd9707a0.json index 8cac3d2322..0a9c6cfcd4 100644 --- a/ics-attack/relationship/relationship--a847aa03-ea56-47d1-8f4e-f9e0dd9707a0.json +++ b/ics-attack/relationship/relationship--a847aa03-ea56-47d1-8f4e-f9e0dd9707a0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b1789d41-db32-4c6a-961c-517b55caaa52", + "id": "bundle--60536297-9cce-4ab8-ac51-ab48b17eef1b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a849d434-a070-43ff-a73f-49ff616ad865.json b/ics-attack/relationship/relationship--a849d434-a070-43ff-a73f-49ff616ad865.json new file mode 100644 index 0000000000..878475e8cc --- /dev/null +++ b/ics-attack/relationship/relationship--a849d434-a070-43ff-a73f-49ff616ad865.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--0e4bbfc8-e5fe-4434-98c4-3507945687c1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a849d434-a070-43ff-a73f-49ff616ad865", + "created": "2026-04-22T22:34:32.303Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:34:32.303Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a84dd2f5-d4f4-44c1-ba51-4804f40576e1.json b/ics-attack/relationship/relationship--a84dd2f5-d4f4-44c1-ba51-4804f40576e1.json index 35ab0748e7..33db8c4433 100644 --- a/ics-attack/relationship/relationship--a84dd2f5-d4f4-44c1-ba51-4804f40576e1.json +++ b/ics-attack/relationship/relationship--a84dd2f5-d4f4-44c1-ba51-4804f40576e1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--723f8556-e7d9-4b63-88fc-acb69efb75bb", + "id": "bundle--2cf66a24-1452-427a-8ffb-71d7d5579a6a", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--a84dd2f5-d4f4-44c1-ba51-4804f40576e1", "created": "2023-09-28T20:28:27.970Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:03.314Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--a8563939-14f9-4790-a8bb-6e984e3ad7ac.json b/ics-attack/relationship/relationship--a8563939-14f9-4790-a8bb-6e984e3ad7ac.json new file mode 100644 index 0000000000..daee1c724a --- /dev/null +++ b/ics-attack/relationship/relationship--a8563939-14f9-4790-a8bb-6e984e3ad7ac.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--a866a8c9-c5db-4a81-97ab-1d9e2d422ea6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a8563939-14f9-4790-a8bb-6e984e3ad7ac", + "created": "2026-04-23T00:07:07.724Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:38:22.928Z", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a86cee0a-dc49-4c95-b5dc-37405337490b.json b/ics-attack/relationship/relationship--a86cee0a-dc49-4c95-b5dc-37405337490b.json index 3c77028ed8..f3ab7d139a 100644 --- a/ics-attack/relationship/relationship--a86cee0a-dc49-4c95-b5dc-37405337490b.json +++ b/ics-attack/relationship/relationship--a86cee0a-dc49-4c95-b5dc-37405337490b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--09606f18-dad9-441d-b14e-9d958d063860", + "id": "bundle--e2aebf15-8610-4a28-9446-be4e2b0cb15b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a873cbaa-04c1-4402-a8d1-683cc7b1ac85.json b/ics-attack/relationship/relationship--a873cbaa-04c1-4402-a8d1-683cc7b1ac85.json index 04fee4250a..dfc3cc7467 100644 --- a/ics-attack/relationship/relationship--a873cbaa-04c1-4402-a8d1-683cc7b1ac85.json +++ b/ics-attack/relationship/relationship--a873cbaa-04c1-4402-a8d1-683cc7b1ac85.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--90445377-4eec-48d0-85f7-e149f26dafd5", + "id": "bundle--bc816a6e-d012-4291-8cc8-a0f0d54d81c6", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--a873cbaa-04c1-4402-a8d1-683cc7b1ac85", "created": "2025-09-29T19:45:58.559Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--d1971b32-3a15-4544-9f36-80c05121deb6.json b/ics-attack/relationship/relationship--a8f136ed-4ab7-4dbc-ba22-db57ace5ed6e.json similarity index 78% rename from ics-attack/relationship/relationship--d1971b32-3a15-4544-9f36-80c05121deb6.json rename to ics-attack/relationship/relationship--a8f136ed-4ab7-4dbc-ba22-db57ace5ed6e.json index ec0e1572b6..af687049a4 100644 --- a/ics-attack/relationship/relationship--d1971b32-3a15-4544-9f36-80c05121deb6.json +++ b/ics-attack/relationship/relationship--a8f136ed-4ab7-4dbc-ba22-db57ace5ed6e.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--e7c09857-503f-4d95-8597-3a87f9284baf", + "id": "bundle--c85d74a9-a9e6-4a49-9542-0a745a057bd1", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--d1971b32-3a15-4544-9f36-80c05121deb6", + "id": "relationship--a8f136ed-4ab7-4dbc-ba22-db57ace5ed6e", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a91002fe-21b2-4417-9c23-af712a7a035c.json b/ics-attack/relationship/relationship--a91002fe-21b2-4417-9c23-af712a7a035c.json index 0046abeebe..1402f53ca0 100644 --- a/ics-attack/relationship/relationship--a91002fe-21b2-4417-9c23-af712a7a035c.json +++ b/ics-attack/relationship/relationship--a91002fe-21b2-4417-9c23-af712a7a035c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5f2479b8-94b9-4c0e-a1c3-5dc5f7b6b31a", + "id": "bundle--40c7397b-a445-4801-8431-7bc6d00e3b1b", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--a91002fe-21b2-4417-9c23-af712a7a035c", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--a91295dc-b381-4dc9-9384-9f9949066778.json b/ics-attack/relationship/relationship--a91295dc-b381-4dc9-9384-9f9949066778.json index 6a7ae0fc6e..49f87f94b6 100644 --- a/ics-attack/relationship/relationship--a91295dc-b381-4dc9-9384-9f9949066778.json +++ b/ics-attack/relationship/relationship--a91295dc-b381-4dc9-9384-9f9949066778.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ae293d1e-1710-40f2-b40b-2e1c9bb10cf5", + "id": "bundle--b966beb2-d9aa-4a8a-a420-30820c56fb30", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--a91295dc-b381-4dc9-9384-9f9949066778", "created": "2023-09-29T18:42:18.446Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:03.935Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--a918d944-e50b-4b2c-9b77-6e28afe68607.json b/ics-attack/relationship/relationship--a918d944-e50b-4b2c-9b77-6e28afe68607.json index 9d55e089fa..234d365650 100644 --- a/ics-attack/relationship/relationship--a918d944-e50b-4b2c-9b77-6e28afe68607.json +++ b/ics-attack/relationship/relationship--a918d944-e50b-4b2c-9b77-6e28afe68607.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f1fa827e-209a-4f1b-89ba-551d4fbe3912", + "id": "bundle--4eed16da-41ac-43b1-bd72-1c520f6dfca9", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--a918d944-e50b-4b2c-9b77-6e28afe68607", "created": "2025-09-29T21:58:43.655Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--a93ba793-24dd-47dd-b32c-4c3016124c90.json b/ics-attack/relationship/relationship--a93ba793-24dd-47dd-b32c-4c3016124c90.json index bee80dc8c0..6401e7dce1 100644 --- a/ics-attack/relationship/relationship--a93ba793-24dd-47dd-b32c-4c3016124c90.json +++ b/ics-attack/relationship/relationship--a93ba793-24dd-47dd-b32c-4c3016124c90.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fc432886-2d10-4162-a66f-bbc5600570e6", + "id": "bundle--2f0dfef3-1971-4623-855e-cf5fd795c87c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--a93ba793-24dd-47dd-b32c-4c3016124c90", "created": "2023-09-29T18:43:02.969Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:04.140Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--a946c9b1-5b89-44c9-b617-3412ffda34b9.json b/ics-attack/relationship/relationship--a946c9b1-5b89-44c9-b617-3412ffda34b9.json index 0194a83a59..37dd93f483 100644 --- a/ics-attack/relationship/relationship--a946c9b1-5b89-44c9-b617-3412ffda34b9.json +++ b/ics-attack/relationship/relationship--a946c9b1-5b89-44c9-b617-3412ffda34b9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ce09d699-249f-4847-85a0-a136b69a05c2", + "id": "bundle--def45495-ec84-4aab-a241-f0040c71daeb", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--a946c9b1-5b89-44c9-b617-3412ffda34b9", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "MDudek-ICS", diff --git a/ics-attack/relationship/relationship--a97c2f8c-c7c9-423f-8679-a58c11f8d409.json b/ics-attack/relationship/relationship--a97c2f8c-c7c9-423f-8679-a58c11f8d409.json new file mode 100644 index 0000000000..bb8b1d6f66 --- /dev/null +++ b/ics-attack/relationship/relationship--a97c2f8c-c7c9-423f-8679-a58c11f8d409.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--051aa973-b792-4ab5-bc36-39b708d22f85", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a97c2f8c-c7c9-423f-8679-a58c11f8d409", + "created": "2026-04-22T22:37:05.299Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:37:05.299Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--7aa93b40-80da-4bb6-8a7c-88e5f5e44669.json b/ics-attack/relationship/relationship--a99cb0b8-4ac0-4712-850a-3aac16f87520.json similarity index 74% rename from ics-attack/relationship/relationship--7aa93b40-80da-4bb6-8a7c-88e5f5e44669.json rename to ics-attack/relationship/relationship--a99cb0b8-4ac0-4712-850a-3aac16f87520.json index 2d4376d06d..24ae7b1d54 100644 --- a/ics-attack/relationship/relationship--7aa93b40-80da-4bb6-8a7c-88e5f5e44669.json +++ b/ics-attack/relationship/relationship--a99cb0b8-4ac0-4712-850a-3aac16f87520.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--0645a31c-9ad2-40b2-a346-be8b121c22fa", + "id": "bundle--f4d0c5d3-f371-4a23-848a-af431dc92edd", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--7aa93b40-80da-4bb6-8a7c-88e5f5e44669", + "id": "relationship--a99cb0b8-4ac0-4712-850a-3aac16f87520", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a9dd70c2-2f54-4b19-85df-df11cbeb0dbd.json b/ics-attack/relationship/relationship--a9dd70c2-2f54-4b19-85df-df11cbeb0dbd.json index 0e262c47d7..9f216c570a 100644 --- a/ics-attack/relationship/relationship--a9dd70c2-2f54-4b19-85df-df11cbeb0dbd.json +++ b/ics-attack/relationship/relationship--a9dd70c2-2f54-4b19-85df-df11cbeb0dbd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5cb67d89-7889-4501-a254-24896150521e", + "id": "bundle--1bfc7308-939c-4182-b976-7b4849a8ee60", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--b25c4621-5d38-43ee-871e-0e5c02f2f48c", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", diff --git a/ics-attack/relationship/relationship--dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb.json b/ics-attack/relationship/relationship--aa444531-fa05-4bb4-a23e-8ac133781131.json similarity index 78% rename from ics-attack/relationship/relationship--dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb.json rename to ics-attack/relationship/relationship--aa444531-fa05-4bb4-a23e-8ac133781131.json index 8d30d434e5..d05d8235ae 100644 --- a/ics-attack/relationship/relationship--dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb.json +++ b/ics-attack/relationship/relationship--aa444531-fa05-4bb4-a23e-8ac133781131.json @@ -1,12 +1,12 @@ { "type": "bundle", - "id": "bundle--2d80edf3-68a3-47ff-9315-510b6e60a3f7", + "id": "bundle--f5f87977-7ff2-4f18-ad22-2b27647222ca", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb", - "created": "2017-12-14T16:46:06.044Z", + "id": "relationship--aa444531-fa05-4bb4-a23e-8ac133781131", + "created": "2026-04-22T17:27:46.121Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ @@ -19,14 +19,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:05:06.275Z", + "modified": "2026-04-23T13:42:51.920Z", "description": "[Stuxnet](https://attack.mitre.org/software/S0603) copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", + "target_ref": "attack-pattern--354ca909-b54d-4c41-b597-9c296b344a43", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--aa7a0f45-e027-4d79-8413-5d807f44c1ba.json b/ics-attack/relationship/relationship--aa7a0f45-e027-4d79-8413-5d807f44c1ba.json index ef4c17be8d..750f5808ec 100644 --- a/ics-attack/relationship/relationship--aa7a0f45-e027-4d79-8413-5d807f44c1ba.json +++ b/ics-attack/relationship/relationship--aa7a0f45-e027-4d79-8413-5d807f44c1ba.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6676647d-4bf1-4b70-9fb6-a63f84e402f1", + "id": "bundle--70cfea73-5ec7-44da-bb2f-4801b67329c2", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--aa7a0f45-e027-4d79-8413-5d807f44c1ba", "created": "2023-09-29T17:42:56.284Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:04.996Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--1acc3a43-2961-4e4c-a237-f426a2df6be5.json b/ics-attack/relationship/relationship--aabf71ab-4121-4e3e-888d-cc16d2133846.json similarity index 89% rename from ics-attack/relationship/relationship--1acc3a43-2961-4e4c-a237-f426a2df6be5.json rename to ics-attack/relationship/relationship--aabf71ab-4121-4e3e-888d-cc16d2133846.json index 2f8c783a69..2a7f243c47 100644 --- a/ics-attack/relationship/relationship--1acc3a43-2961-4e4c-a237-f426a2df6be5.json +++ b/ics-attack/relationship/relationship--aabf71ab-4121-4e3e-888d-cc16d2133846.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--3387f511-12f5-47a8-bf08-c5688741741c", + "id": "bundle--1101aded-0d88-46ed-a1ac-6b69305203b0", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--1acc3a43-2961-4e4c-a237-f426a2df6be5", + "id": "relationship--aabf71ab-4121-4e3e-888d-cc16d2133846", "created": "2024-03-25T20:05:52.868Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -28,10 +28,10 @@ "description": "During the [Unitronics Defacement Campaign](https://attack.mitre.org/campaigns/C0031), the [CyberAv3ngers](https://attack.mitre.org/groups/G1027) discovered and exploited default credentials found on many Unitronics [Programmable Logic Controller (PLC)](https://attack.mitre.org/assets/A0003) [Human-Machine Interface (HMI)](https://attack.mitre.org/assets/A0002). For many of these devices, the default password was set to \u20181111\u2019.(Citation: CISA AA23-335A IRGC-Affiliated December 2023)(Citation: CISA Unitronics November 2023)", "relationship_type": "uses", "source_ref": "campaign--8fda050f-470d-4401-994e-35c1a6c301de", - "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ab306654-2abb-4983-8d30-df4058adb06c.json b/ics-attack/relationship/relationship--ab306654-2abb-4983-8d30-df4058adb06c.json index 8b54a9dba0..3df642108c 100644 --- a/ics-attack/relationship/relationship--ab306654-2abb-4983-8d30-df4058adb06c.json +++ b/ics-attack/relationship/relationship--ab306654-2abb-4983-8d30-df4058adb06c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--babc02d9-a4d2-4750-a780-2aee5d8b4ea9", + "id": "bundle--ad760755-1876-409d-80d0-4a197369109e", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--ab306654-2abb-4983-8d30-df4058adb06c", "created": "2021-04-12T18:49:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Selena Larson, Camille Singleton December 2020", diff --git a/ics-attack/relationship/relationship--ab60fe4a-5860-410a-8bca-2cdbea95e5f8.json b/ics-attack/relationship/relationship--ab60fe4a-5860-410a-8bca-2cdbea95e5f8.json index ce70bedbd4..1657d3639f 100644 --- a/ics-attack/relationship/relationship--ab60fe4a-5860-410a-8bca-2cdbea95e5f8.json +++ b/ics-attack/relationship/relationship--ab60fe4a-5860-410a-8bca-2cdbea95e5f8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--45360078-55f6-4a7e-ab54-3651cd9047d5", + "id": "bundle--851012bb-b098-43db-85c2-d3f7af217148", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ab844cd2-0f56-44f9-9838-cd5f04d75f3e.json b/ics-attack/relationship/relationship--ab844cd2-0f56-44f9-9838-cd5f04d75f3e.json index 63fabc6cc8..015ac8fc7e 100644 --- a/ics-attack/relationship/relationship--ab844cd2-0f56-44f9-9838-cd5f04d75f3e.json +++ b/ics-attack/relationship/relationship--ab844cd2-0f56-44f9-9838-cd5f04d75f3e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c032ef35-49ca-4248-8cd8-0d7d50f073ae", + "id": "bundle--d2232b6a-b80a-4d0d-b5dd-1af0243bc52d", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--ab844cd2-0f56-44f9-9838-cd5f04d75f3e", "created": "2023-09-29T17:37:16.719Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:06.487Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--ab8bf0a3-0eef-4364-a3f9-f6ab6222afed.json b/ics-attack/relationship/relationship--ab8bf0a3-0eef-4364-a3f9-f6ab6222afed.json index e1575be23a..378e4f0ee3 100644 --- a/ics-attack/relationship/relationship--ab8bf0a3-0eef-4364-a3f9-f6ab6222afed.json +++ b/ics-attack/relationship/relationship--ab8bf0a3-0eef-4364-a3f9-f6ab6222afed.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--953d881b-f767-4b90-b4f3-6fac30ab77d6", + "id": "bundle--678f87ba-f67c-449f-9c57-4c50f7ca48a5", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--ab8bf0a3-0eef-4364-a3f9-f6ab6222afed", "created": "2023-09-28T19:41:30.623Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:06.728Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--ab8e129c-5411-4784-9194-068fa915da23.json b/ics-attack/relationship/relationship--ab8e129c-5411-4784-9194-068fa915da23.json index 7a54f86fd2..edf55ae1d3 100644 --- a/ics-attack/relationship/relationship--ab8e129c-5411-4784-9194-068fa915da23.json +++ b/ics-attack/relationship/relationship--ab8e129c-5411-4784-9194-068fa915da23.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--04812e14-bed7-44df-9eb9-8f5cda5a772f", + "id": "bundle--ba1a5c81-90b1-4752-b620-7816877e2df4", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--ab8e129c-5411-4784-9194-068fa915da23", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov", diff --git a/ics-attack/relationship/relationship--ac63d227-ff8a-43b8-81ef-ec4c046c4291.json b/ics-attack/relationship/relationship--ac63d227-ff8a-43b8-81ef-ec4c046c4291.json index 9a114c6e2f..1c639dc676 100644 --- a/ics-attack/relationship/relationship--ac63d227-ff8a-43b8-81ef-ec4c046c4291.json +++ b/ics-attack/relationship/relationship--ac63d227-ff8a-43b8-81ef-ec4c046c4291.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--319dbd4c-2735-4674-85b1-eed4cc825aa1", + "id": "bundle--f4d0555f-4f2b-4aa1-8800-9595e92a833a", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--ac63d227-ff8a-43b8-81ef-ec4c046c4291", "created": "2023-10-02T20:20:19.426Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:07.145Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", diff --git a/ics-attack/relationship/relationship--f7bdbc1f-d08c-48a0-a474-a79b91526138.json b/ics-attack/relationship/relationship--ac7a74a9-7e1d-49d2-b1d8-0f0712fd578f.json similarity index 71% rename from ics-attack/relationship/relationship--f7bdbc1f-d08c-48a0-a474-a79b91526138.json rename to ics-attack/relationship/relationship--ac7a74a9-7e1d-49d2-b1d8-0f0712fd578f.json index 7bba1780a3..586068a245 100644 --- a/ics-attack/relationship/relationship--f7bdbc1f-d08c-48a0-a474-a79b91526138.json +++ b/ics-attack/relationship/relationship--ac7a74a9-7e1d-49d2-b1d8-0f0712fd578f.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--a4003605-af5a-4c36-8e8c-a5e19c65360c", + "id": "bundle--ac3b9b9d-2ace-4262-b138-51b3962a4e05", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--f7bdbc1f-d08c-48a0-a474-a79b91526138", + "id": "relationship--ac7a74a9-7e1d-49d2-b1d8-0f0712fd578f", "created": "2023-09-28T20:31:31.498Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:32.996Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "source_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a74c14e2-eb8a-47bb-b64d-20aad9154297.json b/ics-attack/relationship/relationship--ac8d2d28-5fdc-44d6-9e5a-8e5560b3f91f.json similarity index 73% rename from ics-attack/relationship/relationship--a74c14e2-eb8a-47bb-b64d-20aad9154297.json rename to ics-attack/relationship/relationship--ac8d2d28-5fdc-44d6-9e5a-8e5560b3f91f.json index 93a5c13fef..ab330fa030 100644 --- a/ics-attack/relationship/relationship--a74c14e2-eb8a-47bb-b64d-20aad9154297.json +++ b/ics-attack/relationship/relationship--ac8d2d28-5fdc-44d6-9e5a-8e5560b3f91f.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--592e1d53-4fbf-477d-9e54-507699cadbb1", + "id": "bundle--44e48623-b127-4aca-a739-f5a288d7bc94", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--a74c14e2-eb8a-47bb-b64d-20aad9154297", + "id": "relationship--ac8d2d28-5fdc-44d6-9e5a-8e5560b3f91f", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "Department of Homeland Security September 2016", @@ -18,14 +19,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:26:25.553Z", - "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "modified": "2026-04-23T19:13:21.882Z", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems.(Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--acb4e9f0-0c1a-4c34-a88c-9125f0bd453a.json b/ics-attack/relationship/relationship--acb4e9f0-0c1a-4c34-a88c-9125f0bd453a.json index 54c0e16748..c18e08fc52 100644 --- a/ics-attack/relationship/relationship--acb4e9f0-0c1a-4c34-a88c-9125f0bd453a.json +++ b/ics-attack/relationship/relationship--acb4e9f0-0c1a-4c34-a88c-9125f0bd453a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c766ab62-fb19-43cb-9dc1-6c80b338c1d4", + "id": "bundle--fe19e5c6-ff1d-4d58-a52b-4f130ff9806e", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--887ae691-a519-4b68-af26-bcea1483cef7", "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", diff --git a/ics-attack/relationship/relationship--acc646be-70db-48c0-9504-25ad122ddb40.json b/ics-attack/relationship/relationship--acc646be-70db-48c0-9504-25ad122ddb40.json new file mode 100644 index 0000000000..a0b5f60763 --- /dev/null +++ b/ics-attack/relationship/relationship--acc646be-70db-48c0-9504-25ad122ddb40.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--9b27c4d6-0f40-4c8d-8c7c-d6b21fde9181", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--acc646be-70db-48c0-9504-25ad122ddb40", + "created": "2026-04-22T22:33:32.825Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:33:32.825Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--acd320fb-8c30-48d4-8ca0-c5379e0998fc.json b/ics-attack/relationship/relationship--acd320fb-8c30-48d4-8ca0-c5379e0998fc.json index f3f618b8d0..746e372be6 100644 --- a/ics-attack/relationship/relationship--acd320fb-8c30-48d4-8ca0-c5379e0998fc.json +++ b/ics-attack/relationship/relationship--acd320fb-8c30-48d4-8ca0-c5379e0998fc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6003fde7-b414-46f4-ac37-f5351dd437bf", + "id": "bundle--14ad567d-60e0-45a3-841a-9a6c99ab5ac1", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--acd320fb-8c30-48d4-8ca0-c5379e0998fc", "created": "2025-09-29T19:15:47.679Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--ad2ed5dc-d683-4b0e-b1e2-50b2e61ffd11.json b/ics-attack/relationship/relationship--ad2ed5dc-d683-4b0e-b1e2-50b2e61ffd11.json index 5ce8a6bfa5..3a6b3fbfd8 100644 --- a/ics-attack/relationship/relationship--ad2ed5dc-d683-4b0e-b1e2-50b2e61ffd11.json +++ b/ics-attack/relationship/relationship--ad2ed5dc-d683-4b0e-b1e2-50b2e61ffd11.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1516bff1-2341-404b-9d5a-3cc6ebf948c4", + "id": "bundle--3d28a0c0-2988-4e44-bb85-08144fc09765", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--d9469edc-7e55-41bc-8b17-a8db9fc6302e", "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", diff --git a/ics-attack/relationship/relationship--ad3774f0-d286-4315-95db-a3a78752ef3b.json b/ics-attack/relationship/relationship--ad3774f0-d286-4315-95db-a3a78752ef3b.json new file mode 100644 index 0000000000..b94b3bdadf --- /dev/null +++ b/ics-attack/relationship/relationship--ad3774f0-d286-4315-95db-a3a78752ef3b.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--d46d87ce-e076-4e19-9eea-d232c3a12f02", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ad3774f0-d286-4315-95db-a3a78752ef3b", + "created": "2026-04-22T22:36:26.116Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:36:26.116Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--bb553fda-8355-40bc-87c6-5ae25124fa95", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ad7770c3-fe24-4285-9ce2-1616a1061472.json b/ics-attack/relationship/relationship--ad7770c3-fe24-4285-9ce2-1616a1061472.json index 95c16eaaeb..8310ee04a7 100644 --- a/ics-attack/relationship/relationship--ad7770c3-fe24-4285-9ce2-1616a1061472.json +++ b/ics-attack/relationship/relationship--ad7770c3-fe24-4285-9ce2-1616a1061472.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f9ecb5b8-f89e-4b5b-9e40-f644850efd33", + "id": "bundle--ed9fbc8c-c005-4572-bda1-cd9c4fb02189", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ad7fd147-066e-4ed5-aa9d-7b2f1771150d.json b/ics-attack/relationship/relationship--ad7fd147-066e-4ed5-aa9d-7b2f1771150d.json index 00d2271de1..00c86359dc 100644 --- a/ics-attack/relationship/relationship--ad7fd147-066e-4ed5-aa9d-7b2f1771150d.json +++ b/ics-attack/relationship/relationship--ad7fd147-066e-4ed5-aa9d-7b2f1771150d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8ef671f8-de4e-4f17-ad26-501c8ef84a3d", + "id": "bundle--32d8623a-0e8e-43fd-8846-9464c1c73346", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--adb41ca8-7d2a-4025-b673-db44c9e1f16b.json b/ics-attack/relationship/relationship--adb41ca8-7d2a-4025-b673-db44c9e1f16b.json index 362d432e97..3148c6a9de 100644 --- a/ics-attack/relationship/relationship--adb41ca8-7d2a-4025-b673-db44c9e1f16b.json +++ b/ics-attack/relationship/relationship--adb41ca8-7d2a-4025-b673-db44c9e1f16b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8e121766-934f-45e5-ac88-cf815b306cab", + "id": "bundle--55afe18d-f4a8-4274-9b2a-973e579f2f6e", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--adb41ca8-7d2a-4025-b673-db44c9e1f16b", "created": "2023-09-28T21:12:39.257Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:08.481Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--adc6a1fa-c265-481f-8cde-f28a30873682.json b/ics-attack/relationship/relationship--adc6a1fa-c265-481f-8cde-f28a30873682.json index b8f713f62a..8ab074cb64 100644 --- a/ics-attack/relationship/relationship--adc6a1fa-c265-481f-8cde-f28a30873682.json +++ b/ics-attack/relationship/relationship--adc6a1fa-c265-481f-8cde-f28a30873682.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--49bae6b8-23d5-4a01-9d9f-bdd8662b4fcf", + "id": "bundle--cc4ddec1-5500-4d83-af0e-57f78c5070d0", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--adc6a1fa-c265-481f-8cde-f28a30873682", "created": "2025-09-24T18:19:51.177Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--ade12d27-13bb-4ebf-be08-7039cf699682.json b/ics-attack/relationship/relationship--ade12d27-13bb-4ebf-be08-7039cf699682.json index ce92cc1cd7..bfd8bc69a3 100644 --- a/ics-attack/relationship/relationship--ade12d27-13bb-4ebf-be08-7039cf699682.json +++ b/ics-attack/relationship/relationship--ade12d27-13bb-4ebf-be08-7039cf699682.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f4261bb3-2166-4a1d-a2b9-345612b16ef2", + "id": "bundle--34cd9312-afdc-4159-be9b-44567314805e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--adf2072c-0341-4fc2-9d25-495b4af864e9.json b/ics-attack/relationship/relationship--adf2072c-0341-4fc2-9d25-495b4af864e9.json index dfc19ffb67..a982ea21fc 100644 --- a/ics-attack/relationship/relationship--adf2072c-0341-4fc2-9d25-495b4af864e9.json +++ b/ics-attack/relationship/relationship--adf2072c-0341-4fc2-9d25-495b4af864e9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--11147df3-4abc-4018-b573-1a9d3e3cd156", + "id": "bundle--7498a5a5-a7cc-4352-8386-d38399509dc6", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--adf2072c-0341-4fc2-9d25-495b4af864e9", "created": "2023-03-10T20:09:22.370Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Marshall Abrams July 2008", diff --git a/ics-attack/relationship/relationship--81352e47-4317-45e3-88b9-a97dd2166727.json b/ics-attack/relationship/relationship--adf230b9-b622-473e-b7f4-6ea2dd13ab43.json similarity index 80% rename from ics-attack/relationship/relationship--81352e47-4317-45e3-88b9-a97dd2166727.json rename to ics-attack/relationship/relationship--adf230b9-b622-473e-b7f4-6ea2dd13ab43.json index c2898a5d5e..3f464e86d9 100644 --- a/ics-attack/relationship/relationship--81352e47-4317-45e3-88b9-a97dd2166727.json +++ b/ics-attack/relationship/relationship--adf230b9-b622-473e-b7f4-6ea2dd13ab43.json @@ -1,12 +1,12 @@ { "type": "bundle", - "id": "bundle--64531deb-3ab6-4d19-8e72-43f5e98b8ca4", + "id": "bundle--52d1f250-2346-4546-bbc7-a9be2e09b730", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--81352e47-4317-45e3-88b9-a97dd2166727", - "created": "2024-03-28T14:29:05.074Z", + "id": "relationship--adf230b9-b622-473e-b7f4-6ea2dd13ab43", + "created": "2026-04-23T00:22:56.882Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ @@ -19,14 +19,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:03:24.181Z", + "modified": "2026-04-23T00:22:56.882Z", "description": "In the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030), [TEMP.Veles](https://attack.mitre.org/groups/G0088) downloaded multiple rounds of control logic to the Safety Instrumented System (SIS) controllers through a program append operation.(Citation: FireEye TRITON Dec 2017)", "relationship_type": "uses", "source_ref": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "target_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ae0b459d-535d-4895-ac9f-6ec0518afe00.json b/ics-attack/relationship/relationship--ae0b459d-535d-4895-ac9f-6ec0518afe00.json new file mode 100644 index 0000000000..0de140fe0b --- /dev/null +++ b/ics-attack/relationship/relationship--ae0b459d-535d-4895-ac9f-6ec0518afe00.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--95c2f1a1-3a72-465d-a938-b42217a3f636", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ae0b459d-535d-4895-ac9f-6ec0518afe00", + "created": "2026-04-22T16:32:26.132Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T16:12:51.408Z", + "description": "Ensure embedded controls and network devices are protected through access management, as these devices often have insecure credentials which could be used to gain unauthorized access.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ae10e97a-90ac-498b-8601-01081dc4af8b.json b/ics-attack/relationship/relationship--ae10e97a-90ac-498b-8601-01081dc4af8b.json index 0cb105ccfd..3d51e90126 100644 --- a/ics-attack/relationship/relationship--ae10e97a-90ac-498b-8601-01081dc4af8b.json +++ b/ics-attack/relationship/relationship--ae10e97a-90ac-498b-8601-01081dc4af8b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0b143f7a-6ab8-437d-8148-d42c71e46730", + "id": "bundle--58f80f0b-c0c6-42b5-88fe-256ca3dcb3d0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ae1e5c1a-8f2f-4a5a-a262-3d485c20e7a0.json b/ics-attack/relationship/relationship--ae1e5c1a-8f2f-4a5a-a262-3d485c20e7a0.json new file mode 100644 index 0000000000..45a64019af --- /dev/null +++ b/ics-attack/relationship/relationship--ae1e5c1a-8f2f-4a5a-a262-3d485c20e7a0.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--4bcb1088-99eb-44c7-9f28-ffc052e6fe5c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ae1e5c1a-8f2f-4a5a-a262-3d485c20e7a0", + "created": "2026-04-22T21:43:12.841Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:10:07.791Z", + "description": "Segment operational networks to isolate critical systems and devices that do not require broad network access.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984.json b/ics-attack/relationship/relationship--ae20022f-25b5-4eff-8775-53f1e0ad91b8.json similarity index 74% rename from ics-attack/relationship/relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984.json rename to ics-attack/relationship/relationship--ae20022f-25b5-4eff-8775-53f1e0ad91b8.json index 6a970d2e6b..e6b29d7787 100644 --- a/ics-attack/relationship/relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984.json +++ b/ics-attack/relationship/relationship--ae20022f-25b5-4eff-8775-53f1e0ad91b8.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--b21554e9-f071-46ad-9dfc-0d2037cae45c", + "id": "bundle--d0c47243-2bf2-4e17-884e-7447815bbc7e", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984", + "id": "relationship--ae20022f-25b5-4eff-8775-53f1e0ad91b8", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "target_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ae4e86c6-4bbb-4aba-80fc-c20a8f3d63dc.json b/ics-attack/relationship/relationship--ae4e86c6-4bbb-4aba-80fc-c20a8f3d63dc.json index 5f48f5ec08..99ffd2c18c 100644 --- a/ics-attack/relationship/relationship--ae4e86c6-4bbb-4aba-80fc-c20a8f3d63dc.json +++ b/ics-attack/relationship/relationship--ae4e86c6-4bbb-4aba-80fc-c20a8f3d63dc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7408a32f-122c-4645-9f07-f26e88724ed5", + "id": "bundle--9c17ce1d-075f-4ef1-94b9-fa8d483b9d51", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--ae4e86c6-4bbb-4aba-80fc-c20a8f3d63dc", "created": "2023-09-28T19:50:14.201Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:09.371Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--ae7487f1-a2d0-443d-b418-cd726c5ac15f.json b/ics-attack/relationship/relationship--ae7487f1-a2d0-443d-b418-cd726c5ac15f.json index e43c5efef3..461c430813 100644 --- a/ics-attack/relationship/relationship--ae7487f1-a2d0-443d-b418-cd726c5ac15f.json +++ b/ics-attack/relationship/relationship--ae7487f1-a2d0-443d-b418-cd726c5ac15f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8982a456-534c-444e-a66e-411dbc6b42dc", + "id": "bundle--a32dd549-d6af-4f63-8b50-b97ab0202dbe", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ae7ed6d8-65cc-45a0-82c3-c28e5630bf7c.json b/ics-attack/relationship/relationship--ae7ed6d8-65cc-45a0-82c3-c28e5630bf7c.json index 0a1590bbba..24a4e4bde1 100644 --- a/ics-attack/relationship/relationship--ae7ed6d8-65cc-45a0-82c3-c28e5630bf7c.json +++ b/ics-attack/relationship/relationship--ae7ed6d8-65cc-45a0-82c3-c28e5630bf7c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e6894ac4-9994-4023-9ec5-a8e86f1f4d11", + "id": "bundle--957b8810-59d7-405a-b5c1-12bbb977c14c", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--ae7ed6d8-65cc-45a0-82c3-c28e5630bf7c", "created": "2023-03-10T20:36:34.109Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Marshall Abrams July 2008", diff --git a/ics-attack/relationship/relationship--aec4cb16-bee9-410e-bb74-e3fa70cacf6a.json b/ics-attack/relationship/relationship--aec4cb16-bee9-410e-bb74-e3fa70cacf6a.json index c751563b49..5e318744d9 100644 --- a/ics-attack/relationship/relationship--aec4cb16-bee9-410e-bb74-e3fa70cacf6a.json +++ b/ics-attack/relationship/relationship--aec4cb16-bee9-410e-bb74-e3fa70cacf6a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--19249251-d9ca-4c7d-ace5-75e7cefb5864", + "id": "bundle--60deff85-063b-4eff-bae2-c107bba73a76", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--aec4cb16-bee9-410e-bb74-e3fa70cacf6a", "created": "2025-09-24T18:17:46.146Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--af20f409-05ed-42c3-ae3e-09b047b84875.json b/ics-attack/relationship/relationship--af20f409-05ed-42c3-ae3e-09b047b84875.json index ee58a9196d..f8c204f284 100644 --- a/ics-attack/relationship/relationship--af20f409-05ed-42c3-ae3e-09b047b84875.json +++ b/ics-attack/relationship/relationship--af20f409-05ed-42c3-ae3e-09b047b84875.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--71048c20-3990-4232-bdc6-4f3bd92590bc", + "id": "bundle--7a51ba7e-3d92-4aac-a5ff-9f86c248b29b", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--af20f409-05ed-42c3-ae3e-09b047b84875", "created": "2023-09-25T20:49:25.308Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--33e33c74-2f17-4bac-bbba-bf4f2a2035e5.json b/ics-attack/relationship/relationship--af374cf3-b440-4783-8e1b-243a8dbdeaf4.json similarity index 71% rename from ics-attack/relationship/relationship--33e33c74-2f17-4bac-bbba-bf4f2a2035e5.json rename to ics-attack/relationship/relationship--af374cf3-b440-4783-8e1b-243a8dbdeaf4.json index da1b4c50d1..53cafd6d0e 100644 --- a/ics-attack/relationship/relationship--33e33c74-2f17-4bac-bbba-bf4f2a2035e5.json +++ b/ics-attack/relationship/relationship--af374cf3-b440-4783-8e1b-243a8dbdeaf4.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--3ec6e5c2-81fa-4efe-9f0c-0757257dd048", + "id": "bundle--68b08b5c-12e9-427a-ae20-ca0b2883a3b3", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--33e33c74-2f17-4bac-bbba-bf4f2a2035e5", + "id": "relationship--af374cf3-b440-4783-8e1b-243a8dbdeaf4", "created": "2023-09-29T18:07:41.540Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:51.006Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "source_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--af453639-85a4-4dcc-8f6b-b9dbce1a45e4.json b/ics-attack/relationship/relationship--af453639-85a4-4dcc-8f6b-b9dbce1a45e4.json new file mode 100644 index 0000000000..840c2274b8 --- /dev/null +++ b/ics-attack/relationship/relationship--af453639-85a4-4dcc-8f6b-b9dbce1a45e4.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--75e0bbea-90d5-4e7d-9152-7e5dd05194b5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--af453639-85a4-4dcc-8f6b-b9dbce1a45e4", + "created": "2026-04-22T22:30:43.151Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:30:43.151Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0d76f813-9d83-4d23-9604-966b71b562f8.json b/ics-attack/relationship/relationship--af595409-2976-4c01-bfbe-8d9c88f2d697.json similarity index 78% rename from ics-attack/relationship/relationship--0d76f813-9d83-4d23-9604-966b71b562f8.json rename to ics-attack/relationship/relationship--af595409-2976-4c01-bfbe-8d9c88f2d697.json index 3cfb375a62..335f192fc4 100644 --- a/ics-attack/relationship/relationship--0d76f813-9d83-4d23-9604-966b71b562f8.json +++ b/ics-attack/relationship/relationship--af595409-2976-4c01-bfbe-8d9c88f2d697.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--792383aa-322f-496d-a32b-f6226d9ccfa6", + "id": "bundle--1b49c36d-d49e-43fd-95b0-9293d8677878", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--0d76f813-9d83-4d23-9604-966b71b562f8", + "id": "relationship--af595409-2976-4c01-bfbe-8d9c88f2d697", "created": "2025-09-29T19:48:07.839Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -14,7 +14,7 @@ ], "modified": "2025-09-29T19:48:07.839Z", "relationship_type": "targets", - "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, diff --git a/ics-attack/relationship/relationship--af5a7b69-9519-436e-bb58-049b08d82809.json b/ics-attack/relationship/relationship--af5a7b69-9519-436e-bb58-049b08d82809.json index 57129f1116..e27a38aba5 100644 --- a/ics-attack/relationship/relationship--af5a7b69-9519-436e-bb58-049b08d82809.json +++ b/ics-attack/relationship/relationship--af5a7b69-9519-436e-bb58-049b08d82809.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3f6392dc-782f-459e-96d0-e6f36064f032", + "id": "bundle--1493521c-e9e6-455d-aee0-de40ce6453f2", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--442e5dcf-7f41-4ba5-ba89-aefb0d1c63cf", "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", diff --git a/ics-attack/relationship/relationship--af5c41cb-063d-42a9-ad54-833bd65477d0.json b/ics-attack/relationship/relationship--af5c41cb-063d-42a9-ad54-833bd65477d0.json new file mode 100644 index 0000000000..66702b1de7 --- /dev/null +++ b/ics-attack/relationship/relationship--af5c41cb-063d-42a9-ad54-833bd65477d0.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--314ddbbe-58a4-4616-8d12-c4da4266da9e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--af5c41cb-063d-42a9-ad54-833bd65477d0", + "created": "2026-04-22T22:38:14.236Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:16:58.628Z", + "description": "Ensure systems and devices have an alternative method for communicating in the event that Ethernet communication channels become unavailable.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--af802091-fee7-4d15-a845-fb4ee3c26d6d.json b/ics-attack/relationship/relationship--af802091-fee7-4d15-a845-fb4ee3c26d6d.json index b2bff31d02..67d222ff90 100644 --- a/ics-attack/relationship/relationship--af802091-fee7-4d15-a845-fb4ee3c26d6d.json +++ b/ics-attack/relationship/relationship--af802091-fee7-4d15-a845-fb4ee3c26d6d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c36e9974-42ea-4415-99f0-d5262f65a31e", + "id": "bundle--352ef419-5a69-423f-8b8b-1dff1ee6e65c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--af802091-fee7-4d15-a845-fb4ee3c26d6d", "created": "2023-09-29T16:44:42.393Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:10.609Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--af861c3e-966c-49aa-86c4-a76102977d16.json b/ics-attack/relationship/relationship--af861c3e-966c-49aa-86c4-a76102977d16.json new file mode 100644 index 0000000000..87e7b88fe6 --- /dev/null +++ b/ics-attack/relationship/relationship--af861c3e-966c-49aa-86c4-a76102977d16.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--9f13d89f-7770-4c75-892c-31bb068fd654", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--af861c3e-966c-49aa-86c4-a76102977d16", + "created": "2026-04-23T00:26:01.683Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T20:11:55.425Z", + "description": "Provide the ability to verify the integrity of programs downloaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used.(Citation: IEC February 2019)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--afb0b60e-e604-4b96-abb9-57fdce4e5108.json b/ics-attack/relationship/relationship--afb0b60e-e604-4b96-abb9-57fdce4e5108.json index e1256854fb..25607cf850 100644 --- a/ics-attack/relationship/relationship--afb0b60e-e604-4b96-abb9-57fdce4e5108.json +++ b/ics-attack/relationship/relationship--afb0b60e-e604-4b96-abb9-57fdce4e5108.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--df467ee9-4241-4c60-9f8f-d774f1ed2813", + "id": "bundle--1c66550c-60e0-4c4d-98d7-70e2744992a4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--afd63145-6033-49e4-ad43-d0b35fa5ed88.json b/ics-attack/relationship/relationship--afd63145-6033-49e4-ad43-d0b35fa5ed88.json index 2a23f4187c..6faea22853 100644 --- a/ics-attack/relationship/relationship--afd63145-6033-49e4-ad43-d0b35fa5ed88.json +++ b/ics-attack/relationship/relationship--afd63145-6033-49e4-ad43-d0b35fa5ed88.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8f4b2841-8d2d-4ccc-94a0-9663653d7a43", + "id": "bundle--d6764aa0-8349-487f-9c77-72f562065a03", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b050dc4e-4d1c-442a-9824-d7bcb37181f4.json b/ics-attack/relationship/relationship--b050dc4e-4d1c-442a-9824-d7bcb37181f4.json new file mode 100644 index 0000000000..a60b5c3543 --- /dev/null +++ b/ics-attack/relationship/relationship--b050dc4e-4d1c-442a-9824-d7bcb37181f4.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--51ab0d88-7cad-4bd3-8de6-79f1cf075c55", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--b050dc4e-4d1c-442a-9824-d7bcb37181f4", + "created": "2026-04-22T13:53:10.127Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T13:53:10.127Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b05d678b-4d87-4261-9366-f8b757a77661.json b/ics-attack/relationship/relationship--b05d678b-4d87-4261-9366-f8b757a77661.json index 9ef0122439..43265dcdde 100644 --- a/ics-attack/relationship/relationship--b05d678b-4d87-4261-9366-f8b757a77661.json +++ b/ics-attack/relationship/relationship--b05d678b-4d87-4261-9366-f8b757a77661.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e13b82a3-1275-424c-8d8e-e954b3f69605", + "id": "bundle--ffb16070-c39b-4fca-8475-9e03774fe0a5", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--b05d678b-4d87-4261-9366-f8b757a77661", "created": "2024-03-28T14:27:51.356Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "FireEye TRITON Dec 2017", diff --git a/ics-attack/relationship/relationship--b07e6896-a840-49a1-8d58-94396a902b95.json b/ics-attack/relationship/relationship--b07e6896-a840-49a1-8d58-94396a902b95.json index 63b7d99c5e..0079b56705 100644 --- a/ics-attack/relationship/relationship--b07e6896-a840-49a1-8d58-94396a902b95.json +++ b/ics-attack/relationship/relationship--b07e6896-a840-49a1-8d58-94396a902b95.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9935f4c9-e648-49e7-a516-b2d90909bbbc", + "id": "bundle--89aad5a8-e761-4e17-9930-b5ac3ccc9287", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--b07e6896-a840-49a1-8d58-94396a902b95", "created": "2023-03-31T17:56:07.978Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "ESET Industroyer", diff --git a/ics-attack/relationship/relationship--b0831dd8-64c9-42a8-bf2f-755bdffaca59.json b/ics-attack/relationship/relationship--b0831dd8-64c9-42a8-bf2f-755bdffaca59.json index 9345f35e98..ca8d6d3166 100644 --- a/ics-attack/relationship/relationship--b0831dd8-64c9-42a8-bf2f-755bdffaca59.json +++ b/ics-attack/relationship/relationship--b0831dd8-64c9-42a8-bf2f-755bdffaca59.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8cb0b235-c252-4e4c-8b51-a5c6523a7e9a", + "id": "bundle--e8e33ab8-1865-45e9-af4c-c8e4549e4acb", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--b0831dd8-64c9-42a8-bf2f-755bdffaca59", "created": "2025-09-24T18:23:39.645Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--b0945f9b-5608-472e-ad70-7b42c3e062a1.json b/ics-attack/relationship/relationship--b0945f9b-5608-472e-ad70-7b42c3e062a1.json index 455adfb2ac..acf476db45 100644 --- a/ics-attack/relationship/relationship--b0945f9b-5608-472e-ad70-7b42c3e062a1.json +++ b/ics-attack/relationship/relationship--b0945f9b-5608-472e-ad70-7b42c3e062a1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e750387a-4ec9-4ff3-b960-383f056a1c33", + "id": "bundle--31fd9611-fa1d-4c63-b07e-f780f647331d", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--b0945f9b-5608-472e-ad70-7b42c3e062a1", "created": "2023-09-28T21:21:18.081Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:12.342Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--b13417ea-d8da-497f-818f-d2d90562039a.json b/ics-attack/relationship/relationship--b13417ea-d8da-497f-818f-d2d90562039a.json index dc84078a91..316ab3e957 100644 --- a/ics-attack/relationship/relationship--b13417ea-d8da-497f-818f-d2d90562039a.json +++ b/ics-attack/relationship/relationship--b13417ea-d8da-497f-818f-d2d90562039a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b96e6bf0-4894-4ad4-9957-0f3f5e855f65", + "id": "bundle--708c57c9-f34c-45c6-88bc-44e2bc2c575d", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--b13417ea-d8da-497f-818f-d2d90562039a", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--b1768154-221c-48be-ab2b-549ec1eddafb.json b/ics-attack/relationship/relationship--b1768154-221c-48be-ab2b-549ec1eddafb.json index 32472404cc..38889d981b 100644 --- a/ics-attack/relationship/relationship--b1768154-221c-48be-ab2b-549ec1eddafb.json +++ b/ics-attack/relationship/relationship--b1768154-221c-48be-ab2b-549ec1eddafb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1f606bb9-0c7e-40e8-ae55-ea47106fe381", + "id": "bundle--957a6424-6811-4416-8df0-02ad0a620321", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b1921480-8499-46a9-8396-2a2d747c5861.json b/ics-attack/relationship/relationship--b1921480-8499-46a9-8396-2a2d747c5861.json index 5de874310f..ff40760d0d 100644 --- a/ics-attack/relationship/relationship--b1921480-8499-46a9-8396-2a2d747c5861.json +++ b/ics-attack/relationship/relationship--b1921480-8499-46a9-8396-2a2d747c5861.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--25dad5a2-93ee-410e-b716-7a5889cbacfa", + "id": "bundle--0694dfb2-b305-48e5-add1-65a83fc9bbf3", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--b1921480-8499-46a9-8396-2a2d747c5861", "created": "2023-09-28T19:58:00.892Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:13.826Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--cd54b7ba-c96c-49c8-90d2-15677efb8fe2.json b/ics-attack/relationship/relationship--b1c35486-c714-4517-9f59-742765773fa3.json similarity index 71% rename from ics-attack/relationship/relationship--cd54b7ba-c96c-49c8-90d2-15677efb8fe2.json rename to ics-attack/relationship/relationship--b1c35486-c714-4517-9f59-742765773fa3.json index 6e3d64af6d..ec4dd8b9e1 100644 --- a/ics-attack/relationship/relationship--cd54b7ba-c96c-49c8-90d2-15677efb8fe2.json +++ b/ics-attack/relationship/relationship--b1c35486-c714-4517-9f59-742765773fa3.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--28111682-b947-4755-8fe2-4b64f0c802d9", + "id": "bundle--28712ccd-e84d-4aa4-bbc6-e50855c1af04", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--cd54b7ba-c96c-49c8-90d2-15677efb8fe2", + "id": "relationship--b1c35486-c714-4517-9f59-742765773fa3", "created": "2023-09-28T20:15:56.470Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:47.514Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "source_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b.json b/ics-attack/relationship/relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b.json index daf14490c2..92bb26f4ed 100644 --- a/ics-attack/relationship/relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b.json +++ b/ics-attack/relationship/relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--289c355b-a508-4d13-a7a6-ddf713f2a3a2", + "id": "bundle--93f26635-b06c-4c1d-9b42-c857827c8147", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b217aaf1-0fe7-43cc-85ad-45b252651e2d.json b/ics-attack/relationship/relationship--b217aaf1-0fe7-43cc-85ad-45b252651e2d.json new file mode 100644 index 0000000000..47f3dff4f2 --- /dev/null +++ b/ics-attack/relationship/relationship--b217aaf1-0fe7-43cc-85ad-45b252651e2d.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--a655298e-ceb1-436b-a1c1-55debe43149b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--b217aaf1-0fe7-43cc-85ad-45b252651e2d", + "created": "2026-04-23T14:11:52.981Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T14:11:52.981Z", + "description": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 61850 payload component has the ability to discover relevant devices in the infected host's network subnet by attempting to connect on port 102.(Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b21e0340-976d-44b2-94ae-f777199993c6.json b/ics-attack/relationship/relationship--b21e0340-976d-44b2-94ae-f777199993c6.json index 3a9a7fd360..737b885c24 100644 --- a/ics-attack/relationship/relationship--b21e0340-976d-44b2-94ae-f777199993c6.json +++ b/ics-attack/relationship/relationship--b21e0340-976d-44b2-94ae-f777199993c6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4d09387c-65f3-4211-9513-d787a5b772de", + "id": "bundle--24858f48-2ea4-49a3-b2ec-f2f4f51c302a", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--b21e0340-976d-44b2-94ae-f777199993c6", "created": "2023-09-28T19:39:00.326Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:14.229Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--b22637e7-f58c-4c7e-9d76-4b3ee97fa14b.json b/ics-attack/relationship/relationship--b22637e7-f58c-4c7e-9d76-4b3ee97fa14b.json index dd9d6d95c1..cf6c308ce7 100644 --- a/ics-attack/relationship/relationship--b22637e7-f58c-4c7e-9d76-4b3ee97fa14b.json +++ b/ics-attack/relationship/relationship--b22637e7-f58c-4c7e-9d76-4b3ee97fa14b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4ea2f116-bc23-4563-a6fc-a21a65d39a2e", + "id": "bundle--f5e3dd9e-df89-4ffe-82c4-30219b4a5e8c", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--b22637e7-f58c-4c7e-9d76-4b3ee97fa14b", "created": "2025-09-29T19:15:08.997Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--b22c6faf-0046-4f89-8c5a-4f5ca44b638d.json b/ics-attack/relationship/relationship--b22c6faf-0046-4f89-8c5a-4f5ca44b638d.json index f8b5933468..950d390035 100644 --- a/ics-attack/relationship/relationship--b22c6faf-0046-4f89-8c5a-4f5ca44b638d.json +++ b/ics-attack/relationship/relationship--b22c6faf-0046-4f89-8c5a-4f5ca44b638d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8589436b-1276-41d9-9220-e2f1a319426d", + "id": "bundle--2afa574b-5661-4c17-a85e-97cc15a81a90", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--b22c6faf-0046-4f89-8c5a-4f5ca44b638d", "created": "2025-09-29T19:05:33.788Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--b252a076-6d4e-49f5-95ac-16264ef05b1d.json b/ics-attack/relationship/relationship--b252a076-6d4e-49f5-95ac-16264ef05b1d.json index 25be7e1f6b..abee968d3f 100644 --- a/ics-attack/relationship/relationship--b252a076-6d4e-49f5-95ac-16264ef05b1d.json +++ b/ics-attack/relationship/relationship--b252a076-6d4e-49f5-95ac-16264ef05b1d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bdb821f1-a454-465e-a672-9e080025c998", + "id": "bundle--1aed77ed-06c4-4e3f-8a12-9125d883b8ff", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--b252a076-6d4e-49f5-95ac-16264ef05b1d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov", diff --git a/ics-attack/relationship/relationship--b2823439-efbd-4f91-9a7f-753d40004bc8.json b/ics-attack/relationship/relationship--b2823439-efbd-4f91-9a7f-753d40004bc8.json index 57bab63cd4..36686b3df3 100644 --- a/ics-attack/relationship/relationship--b2823439-efbd-4f91-9a7f-753d40004bc8.json +++ b/ics-attack/relationship/relationship--b2823439-efbd-4f91-9a7f-753d40004bc8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c840d020-fe43-491f-bc29-864b6c14b9c8", + "id": "bundle--8f13eca3-aae8-47d2-b860-e9760a803bb1", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--fb0931d5-8eb9-4db2-a2a4-447c32b29bd4", "target_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", diff --git a/ics-attack/relationship/relationship--b289c971-3fb7-4c3c-b3d6-cf2702b9384a.json b/ics-attack/relationship/relationship--b289c971-3fb7-4c3c-b3d6-cf2702b9384a.json index 61837fc587..1ce2086e2d 100644 --- a/ics-attack/relationship/relationship--b289c971-3fb7-4c3c-b3d6-cf2702b9384a.json +++ b/ics-attack/relationship/relationship--b289c971-3fb7-4c3c-b3d6-cf2702b9384a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--97073745-ff0f-44ca-824c-dfa959604687", + "id": "bundle--95c34322-6b2c-419b-a783-b13292757c1f", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--b289c971-3fb7-4c3c-b3d6-cf2702b9384a", "created": "2023-09-28T21:10:50.480Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:14.850Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--b2c3e6df-3e82-4b82-bb62-ca219dfdb934.json b/ics-attack/relationship/relationship--b2c3e6df-3e82-4b82-bb62-ca219dfdb934.json new file mode 100644 index 0000000000..3f28ae156e --- /dev/null +++ b/ics-attack/relationship/relationship--b2c3e6df-3e82-4b82-bb62-ca219dfdb934.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--02d2ab3c-369f-43da-9ceb-abbdce388117", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--b2c3e6df-3e82-4b82-bb62-ca219dfdb934", + "created": "2026-04-22T16:37:53.016Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:37:53.016Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--bb141168-ae41-4974-8ece-dc9b63e59237", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc.json b/ics-attack/relationship/relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc.json index 317f3efeef..4000869eda 100644 --- a/ics-attack/relationship/relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc.json +++ b/ics-attack/relationship/relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cff43bd3-456f-44ad-b578-ee0d539c8a66", + "id": "bundle--a53d7030-2423-42bd-80b8-619aa119079a", "spec_version": "2.0", "objects": [ { @@ -8,27 +8,28 @@ "id": "relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { - "source_name": "D. Parsons and D. Wylie September 2019", - "description": "D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 ", - "url": "https://www.csiac.org/journal-article/practical-industrial-control-system-ics-cybersecurity-it-and-ot-have-converged-discover-and-defend-your-assets/" + "source_name": "Aditya K Sood July 2019", + "description": "Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25 ", + "url": "https://www.helpnetsecurity.com/2019/07/10/bacnet-devices/" }, { "source_name": "Colin Gray", "description": "Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25 ", "url": "https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6891_HowSDN_CG_20180720_Web2.pdf?v=20190312-231901" }, + { + "source_name": "D. Parsons and D. Wylie September 2019", + "description": "D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 ", + "url": "https://www.csiac.org/journal-article/practical-industrial-control-system-ics-cybersecurity-it-and-ot-have-converged-discover-and-defend-your-assets/" + }, { "source_name": "Josh Rinaldi April 2016", "description": "Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25 ", "url": "https://www.rtautomation.com/rtas-blog/still-a-thrill-opc-ua-device-discovery/" }, - { - "source_name": "Aditya K Sood July 2019", - "description": "Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25 ", - "url": "https://www.helpnetsecurity.com/2019/07/10/bacnet-devices/" - }, { "source_name": "Langner November 2018", "description": "Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25 ", @@ -38,14 +39,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:26:35.109Z", - "description": "ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. (Citation: D. Parsons and D. Wylie September 2019) (Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery (Citation: Josh Rinaldi April 2016), BACnet (Citation: Aditya K Sood July 2019), and Ethernet/IP. (Citation: Langner November 2018)\n", + "modified": "2026-04-23T19:40:09.561Z", + "description": "ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols.(Citation: D. Parsons and D. Wylie September 2019)(Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery(Citation: Josh Rinaldi April 2016), BACnet(Citation: Aditya K Sood July 2019), and Ethernet/IP.(Citation: Langner November 2018)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b2e10e48-8bd9-472a-9c6f-1d38650e8df1.json b/ics-attack/relationship/relationship--b2e10e48-8bd9-472a-9c6f-1d38650e8df1.json index 267a295ab9..fb3ca1b0d9 100644 --- a/ics-attack/relationship/relationship--b2e10e48-8bd9-472a-9c6f-1d38650e8df1.json +++ b/ics-attack/relationship/relationship--b2e10e48-8bd9-472a-9c6f-1d38650e8df1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fa50c0b3-f9ae-4854-b412-0403e732ba11", + "id": "bundle--eb637e3b-399c-4586-95f3-435176db947c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b2e8914a-91bc-42df-8b64-22e5365ede6f.json b/ics-attack/relationship/relationship--b2e8914a-91bc-42df-8b64-22e5365ede6f.json index 309d81bdd0..2b45ba342e 100644 --- a/ics-attack/relationship/relationship--b2e8914a-91bc-42df-8b64-22e5365ede6f.json +++ b/ics-attack/relationship/relationship--b2e8914a-91bc-42df-8b64-22e5365ede6f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ed8d4ab0-45f5-4f8d-bf59-d18791e7d134", + "id": "bundle--f1e857a5-f4b3-46e8-a288-6dc10dd20ad3", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--b2e8914a-91bc-42df-8b64-22e5365ede6f", "created": "2023-09-29T17:42:11.005Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:15.471Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--b33f2abc-a218-425b-9a90-b75445b7e142.json b/ics-attack/relationship/relationship--b33f2abc-a218-425b-9a90-b75445b7e142.json index e6bde6e0d4..2154c38151 100644 --- a/ics-attack/relationship/relationship--b33f2abc-a218-425b-9a90-b75445b7e142.json +++ b/ics-attack/relationship/relationship--b33f2abc-a218-425b-9a90-b75445b7e142.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9ec44b1f-38b2-42b4-b57f-259b8b2638b4", + "id": "bundle--39b47d38-90c1-4b42-ba5a-8faecaa55c57", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--b33f2abc-a218-425b-9a90-b75445b7e142", "created": "2023-09-29T18:05:51.795Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:15.729Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--b340e488-cae9-4c72-a704-ecb5ce7d9348.json b/ics-attack/relationship/relationship--b340e488-cae9-4c72-a704-ecb5ce7d9348.json index ba7417d974..47396f6321 100644 --- a/ics-attack/relationship/relationship--b340e488-cae9-4c72-a704-ecb5ce7d9348.json +++ b/ics-attack/relationship/relationship--b340e488-cae9-4c72-a704-ecb5ce7d9348.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1a28f5cb-39d0-4718-931f-6fdf53e1b53d", + "id": "bundle--c435a497-3576-4959-af59-3c73e78609e8", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--c7aea5e8-cd8b-4f79-be41-3a446cdde7b7", "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", diff --git a/ics-attack/relationship/relationship--b343e131-e448-46c6-815b-b86e4bd6d638.json b/ics-attack/relationship/relationship--b343e131-e448-46c6-815b-b86e4bd6d638.json index 73b85fdab7..a97ef03a62 100644 --- a/ics-attack/relationship/relationship--b343e131-e448-46c6-815b-b86e4bd6d638.json +++ b/ics-attack/relationship/relationship--b343e131-e448-46c6-815b-b86e4bd6d638.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--29cab06f-5d37-495c-9341-1f47a891a991", + "id": "bundle--1f0434f4-98b4-4f36-92ce-450098a22e6e", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--b343e131-e448-46c6-815b-b86e4bd6d638", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos Threat Intelligence August 2019", diff --git a/ics-attack/relationship/relationship--b346eec8-de90-407c-b665-387086bb4553.json b/ics-attack/relationship/relationship--b346eec8-de90-407c-b665-387086bb4553.json index 3abbbbd442..fd1b46e883 100644 --- a/ics-attack/relationship/relationship--b346eec8-de90-407c-b665-387086bb4553.json +++ b/ics-attack/relationship/relationship--b346eec8-de90-407c-b665-387086bb4553.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5a03c949-fe21-4a60-9b8a-dfd19e0de50f", + "id": "bundle--0bd494e9-b120-470a-81b9-c9cc918228c3", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--b346eec8-de90-407c-b665-387086bb4553", "created": "2022-09-29T01:36:02.223Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Wylie-22", diff --git a/ics-attack/relationship/relationship--b349ef5f-4a05-4eef-afe4-1543b8c832fa.json b/ics-attack/relationship/relationship--b349ef5f-4a05-4eef-afe4-1543b8c832fa.json index db68253bbf..9e05f8e864 100644 --- a/ics-attack/relationship/relationship--b349ef5f-4a05-4eef-afe4-1543b8c832fa.json +++ b/ics-attack/relationship/relationship--b349ef5f-4a05-4eef-afe4-1543b8c832fa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6d11829e-6027-4ca1-8b6b-e1c1675ae07e", + "id": "bundle--d541aff3-422b-4b97-970c-06c917c7785a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60.json b/ics-attack/relationship/relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60.json index d1746ec55f..221c1d6e4a 100644 --- a/ics-attack/relationship/relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60.json +++ b/ics-attack/relationship/relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--28e56ac2-31ce-4c70-ba90-849b315319ae", + "id": "bundle--1d3416d5-8cc3-4e49-9591-a31bbe1a3ab6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c6a05c20-02d4-42ce-ad5c-280c604e13d8.json b/ics-attack/relationship/relationship--b36d4c7e-2d4e-40ae-ae56-55c94adaf760.json similarity index 71% rename from ics-attack/relationship/relationship--c6a05c20-02d4-42ce-ad5c-280c604e13d8.json rename to ics-attack/relationship/relationship--b36d4c7e-2d4e-40ae-ae56-55c94adaf760.json index b8310e144d..858ee195d4 100644 --- a/ics-attack/relationship/relationship--c6a05c20-02d4-42ce-ad5c-280c604e13d8.json +++ b/ics-attack/relationship/relationship--b36d4c7e-2d4e-40ae-ae56-55c94adaf760.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--d7582a81-d1fd-4eef-b45a-4c551aab2f5e", + "id": "bundle--76631ac7-be08-482a-a30c-b500a5a30986", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--c6a05c20-02d4-42ce-ad5c-280c604e13d8", + "id": "relationship--b36d4c7e-2d4e-40ae-ae56-55c94adaf760", "created": "2023-09-29T17:59:11.267Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:39.381Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b37844c1-0338-44f6-9116-48fa0f079913.json b/ics-attack/relationship/relationship--b37844c1-0338-44f6-9116-48fa0f079913.json index 6b72f397de..52e7018ee9 100644 --- a/ics-attack/relationship/relationship--b37844c1-0338-44f6-9116-48fa0f079913.json +++ b/ics-attack/relationship/relationship--b37844c1-0338-44f6-9116-48fa0f079913.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ba8c38b2-4bb6-4c9e-a2cf-2423c12c3806", + "id": "bundle--cf51c472-18a9-49f1-88f5-7681bad12f65", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--b37844c1-0338-44f6-9116-48fa0f079913", "created": "2023-09-29T17:41:11.611Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:16.850Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--b3862aa6-7bd0-46a4-83b6-bb687bb7caa6.json b/ics-attack/relationship/relationship--b3862aa6-7bd0-46a4-83b6-bb687bb7caa6.json index ff0b148a7c..b194561760 100644 --- a/ics-attack/relationship/relationship--b3862aa6-7bd0-46a4-83b6-bb687bb7caa6.json +++ b/ics-attack/relationship/relationship--b3862aa6-7bd0-46a4-83b6-bb687bb7caa6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bfd4b243-ba1e-484e-ba65-856dfe49d3b7", + "id": "bundle--c9004fbf-f355-4470-95cc-51e45609bcb7", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--b3862aa6-7bd0-46a4-83b6-bb687bb7caa6", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Chris Bing May 2018", diff --git a/ics-attack/relationship/relationship--b3aab26c-09c6-4264-af2a-5df260d3d8e2.json b/ics-attack/relationship/relationship--b3aab26c-09c6-4264-af2a-5df260d3d8e2.json index e1992f8461..18893a0f38 100644 --- a/ics-attack/relationship/relationship--b3aab26c-09c6-4264-af2a-5df260d3d8e2.json +++ b/ics-attack/relationship/relationship--b3aab26c-09c6-4264-af2a-5df260d3d8e2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cad8d86d-61da-4a89-a96a-12bcdfac4ee7", + "id": "bundle--7e85daaa-29cf-4ca4-8c6a-c889580f135f", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--b3aab26c-09c6-4264-af2a-5df260d3d8e2", "created": "2023-09-28T19:48:58.160Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:17.270Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--b3b24837-83ed-46c5-ba80-66a832c7072e.json b/ics-attack/relationship/relationship--b3b24837-83ed-46c5-ba80-66a832c7072e.json index e3ba2880a9..5fc8f5315f 100644 --- a/ics-attack/relationship/relationship--b3b24837-83ed-46c5-ba80-66a832c7072e.json +++ b/ics-attack/relationship/relationship--b3b24837-83ed-46c5-ba80-66a832c7072e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3b85cd7b-a090-48a5-b8aa-5802df3acb8b", + "id": "bundle--c53d9bb4-60c0-43b3-bd6e-985a89e46450", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--31d7e048-92fc-4b63-b0d5-28b64b39797a.json b/ics-attack/relationship/relationship--b3b289bf-da9d-40b2-bedd-ca1b65271825.json similarity index 71% rename from ics-attack/relationship/relationship--31d7e048-92fc-4b63-b0d5-28b64b39797a.json rename to ics-attack/relationship/relationship--b3b289bf-da9d-40b2-bedd-ca1b65271825.json index 51a982099c..3cab36ba03 100644 --- a/ics-attack/relationship/relationship--31d7e048-92fc-4b63-b0d5-28b64b39797a.json +++ b/ics-attack/relationship/relationship--b3b289bf-da9d-40b2-bedd-ca1b65271825.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--0caa2940-9625-4642-9a04-cbb217586dcd", + "id": "bundle--4542b21a-d06d-4d62-a81f-eb394d8acd88", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--31d7e048-92fc-4b63-b0d5-28b64b39797a", + "id": "relationship--b3b289bf-da9d-40b2-bedd-ca1b65271825", "created": "2023-10-02T20:18:11.933Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:48.055Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "source_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b3f2990b-855e-49f3-b657-6b24118b2d19.json b/ics-attack/relationship/relationship--b3f2990b-855e-49f3-b657-6b24118b2d19.json index 8567e73788..38cd3d894e 100644 --- a/ics-attack/relationship/relationship--b3f2990b-855e-49f3-b657-6b24118b2d19.json +++ b/ics-attack/relationship/relationship--b3f2990b-855e-49f3-b657-6b24118b2d19.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--af5cc4d3-6898-449b-9013-fb7d36b994a1", + "id": "bundle--e2b9f5b2-059c-40ef-b425-fdcd768785c5", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--b3f2990b-855e-49f3-b657-6b24118b2d19", "created": "2025-09-29T19:48:23.823Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--b3f2dffc-b79d-4de0-85eb-2d3238a4f36b.json b/ics-attack/relationship/relationship--b3f2dffc-b79d-4de0-85eb-2d3238a4f36b.json new file mode 100644 index 0000000000..7432a6a843 --- /dev/null +++ b/ics-attack/relationship/relationship--b3f2dffc-b79d-4de0-85eb-2d3238a4f36b.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--c47c1575-3d59-4033-8fde-5e2cde85c5ef", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--b3f2dffc-b79d-4de0-85eb-2d3238a4f36b", + "created": "2026-04-20T20:54:21.776Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:21.776Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b411f748-a1e9-40c6-8eb3-72f2de4dab08.json b/ics-attack/relationship/relationship--b411f748-a1e9-40c6-8eb3-72f2de4dab08.json index 200868c62b..6e95b86ebe 100644 --- a/ics-attack/relationship/relationship--b411f748-a1e9-40c6-8eb3-72f2de4dab08.json +++ b/ics-attack/relationship/relationship--b411f748-a1e9-40c6-8eb3-72f2de4dab08.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--43266579-2d8d-438a-81ea-bb51233f0f92", + "id": "bundle--84137c37-5192-438a-9acf-47c500d19cbc", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--b411f748-a1e9-40c6-8eb3-72f2de4dab08", "created": "2023-09-28T20:02:20.170Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:17.889Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--b452a076-6d4e-49f5-95ac-16264ef05b1d.json b/ics-attack/relationship/relationship--b452a076-6d4e-49f5-95ac-16264ef05b1d.json index 469e637bb8..938e2020f9 100644 --- a/ics-attack/relationship/relationship--b452a076-6d4e-49f5-95ac-16264ef05b1d.json +++ b/ics-attack/relationship/relationship--b452a076-6d4e-49f5-95ac-16264ef05b1d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a528822f-7c20-4699-8067-39db3070e547", + "id": "bundle--7734b6ad-235d-4906-88f4-9d9b54a6e563", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--b452a076-6d4e-49f5-95ac-16264ef05b1d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov", diff --git a/ics-attack/relationship/relationship--b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497.json b/ics-attack/relationship/relationship--b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497.json index 8e7872cfdb..2add0f5906 100644 --- a/ics-attack/relationship/relationship--b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497.json +++ b/ics-attack/relationship/relationship--b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9e258406-9852-41fc-b3d7-ca6b9544816d", + "id": "bundle--1987c4d2-7f5a-4541-ae7f-4b9600d19a58", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--b48a9fea-26a5-473c-9a5d-fcc3531e1fd3.json b/ics-attack/relationship/relationship--b48a9fea-26a5-473c-9a5d-fcc3531e1fd3.json index 12a9c34adb..5b1ffa167e 100644 --- a/ics-attack/relationship/relationship--b48a9fea-26a5-473c-9a5d-fcc3531e1fd3.json +++ b/ics-attack/relationship/relationship--b48a9fea-26a5-473c-9a5d-fcc3531e1fd3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7ef4b4b8-659b-4386-aa99-a7d898b04a2d", + "id": "bundle--a7142110-33d9-4d2c-ba1d-9c2b5b477b99", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--b48a9fea-26a5-473c-9a5d-fcc3531e1fd3", "created": "2023-03-30T18:59:30.677Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--b4efcbe0-ffe3-4d9a-8dba-570e68494af1.json b/ics-attack/relationship/relationship--b4efcbe0-ffe3-4d9a-8dba-570e68494af1.json index de0ee57eea..14090d0dbd 100644 --- a/ics-attack/relationship/relationship--b4efcbe0-ffe3-4d9a-8dba-570e68494af1.json +++ b/ics-attack/relationship/relationship--b4efcbe0-ffe3-4d9a-8dba-570e68494af1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7afa42ad-b4b2-4d60-b1ed-349fccff90b3", + "id": "bundle--7657773e-0e58-4a0a-ada2-ddcae24d279d", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--b4efcbe0-ffe3-4d9a-8dba-570e68494af1", "created": "2023-03-10T20:10:23.377Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Marshall Abrams July 2008", diff --git a/ics-attack/relationship/relationship--b58d2485-55f4-45ee-b2e1-6e067ae8d81b.json b/ics-attack/relationship/relationship--b58d2485-55f4-45ee-b2e1-6e067ae8d81b.json new file mode 100644 index 0000000000..bee206f5da --- /dev/null +++ b/ics-attack/relationship/relationship--b58d2485-55f4-45ee-b2e1-6e067ae8d81b.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--84f742de-bbc0-4b5d-bfee-d479cbb27020", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--b58d2485-55f4-45ee-b2e1-6e067ae8d81b", + "created": "2026-04-22T22:34:12.580Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:34:12.580Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--65a45501-10de-46a2-89bf-03bbf17aba33.json b/ics-attack/relationship/relationship--b58f623d-c61f-46e8-b356-09af226ba9ad.json similarity index 77% rename from ics-attack/relationship/relationship--65a45501-10de-46a2-89bf-03bbf17aba33.json rename to ics-attack/relationship/relationship--b58f623d-c61f-46e8-b356-09af226ba9ad.json index c1647aa8f6..9ba3b50574 100644 --- a/ics-attack/relationship/relationship--65a45501-10de-46a2-89bf-03bbf17aba33.json +++ b/ics-attack/relationship/relationship--b58f623d-c61f-46e8-b356-09af226ba9ad.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--3cc9f56c-5544-4fdf-adcc-8d2924a49cab", + "id": "bundle--7abc5bd8-bfc0-4ac8-9dbf-75c33467d9d1", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--65a45501-10de-46a2-89bf-03bbf17aba33", + "id": "relationship--b58f623d-c61f-46e8-b356-09af226ba9ad", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b59a96e4-bd70-4459-9609-66563bccd9c3.json b/ics-attack/relationship/relationship--b59a96e4-bd70-4459-9609-66563bccd9c3.json index 626fe23e5e..6632ed857a 100644 --- a/ics-attack/relationship/relationship--b59a96e4-bd70-4459-9609-66563bccd9c3.json +++ b/ics-attack/relationship/relationship--b59a96e4-bd70-4459-9609-66563bccd9c3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ab0a4006-172f-4ebf-9293-37dd4e74c862", + "id": "bundle--5d16eaf5-3c75-4789-b8cd-696778569b6f", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--b59a96e4-bd70-4459-9609-66563bccd9c3", "created": "2023-09-29T16:38:21.688Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:19.725Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--b5ab26e2-eb90-4f19-b35a-b8a0a5438961.json b/ics-attack/relationship/relationship--b5ab26e2-eb90-4f19-b35a-b8a0a5438961.json index 4f55c55c2b..4e8a2cdbd5 100644 --- a/ics-attack/relationship/relationship--b5ab26e2-eb90-4f19-b35a-b8a0a5438961.json +++ b/ics-attack/relationship/relationship--b5ab26e2-eb90-4f19-b35a-b8a0a5438961.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fc3583e9-0de6-4703-a3cc-4723921ccf24", + "id": "bundle--41166399-8dc7-4757-8bac-410a00675011", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--b5ab26e2-eb90-4f19-b35a-b8a0a5438961", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Hydro", diff --git a/ics-attack/relationship/relationship--b5bb5ec3-aa3c-4734-8425-4be80c5658a9.json b/ics-attack/relationship/relationship--b5bb5ec3-aa3c-4734-8425-4be80c5658a9.json index 1c82f3e4e1..e021070e74 100644 --- a/ics-attack/relationship/relationship--b5bb5ec3-aa3c-4734-8425-4be80c5658a9.json +++ b/ics-attack/relationship/relationship--b5bb5ec3-aa3c-4734-8425-4be80c5658a9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--85531d86-e30e-4261-831a-e90db14fc32d", + "id": "bundle--12b3fd16-4feb-4ce2-ae21-450a709811e1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98.json b/ics-attack/relationship/relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98.json index f604de175b..74c64cd334 100644 --- a/ics-attack/relationship/relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98.json +++ b/ics-attack/relationship/relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4ec33bfe-fd6a-4f27-83dd-79b64fce3419", + "id": "bundle--bbeb4b18-e557-4cbc-9f74-65dd14ea4e72", "spec_version": "2.0", "objects": [ { @@ -8,17 +8,18 @@ "id": "relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:26:38.550Z", - "description": "Preventing screen capture on a device may require disabling various system calls supported by the operating systems (e.g., Microsoft WindowsGraphicsCaputer APIs), however, these may be needed for other critical applications.\n", + "modified": "2026-04-22T13:20:13.471Z", + "description": "Preventing screen capture on a device may require disabling various system calls supported by the operating systems (e.g., Microsoft Windows.Graphics.Capture APIs), however, these may be needed for other critical applications.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b628d878-4f35-4580-8d42-26984d13821e.json b/ics-attack/relationship/relationship--b628d878-4f35-4580-8d42-26984d13821e.json index 25e00b5801..7f99b0c6cf 100644 --- a/ics-attack/relationship/relationship--b628d878-4f35-4580-8d42-26984d13821e.json +++ b/ics-attack/relationship/relationship--b628d878-4f35-4580-8d42-26984d13821e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9d73f8aa-c5b5-4916-a3f2-390de29b55a3", + "id": "bundle--57f8c6d2-dee0-4d5a-94a5-ef3c61aa769a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b6309476-8268-4c47-920b-8a556cd8ae4c.json b/ics-attack/relationship/relationship--b6309476-8268-4c47-920b-8a556cd8ae4c.json index 30826abfbe..f3e50a7040 100644 --- a/ics-attack/relationship/relationship--b6309476-8268-4c47-920b-8a556cd8ae4c.json +++ b/ics-attack/relationship/relationship--b6309476-8268-4c47-920b-8a556cd8ae4c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5895392f-4afe-4f12-89a1-ea81ceeac853", + "id": "bundle--aa693944-8aa3-43d1-840a-b432cdae3ad5", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--b6309476-8268-4c47-920b-8a556cd8ae4c", "created": "2023-09-29T18:47:07.359Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:20.814Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--b69905bd-6865-4092-9543-47bd9ae318ec.json b/ics-attack/relationship/relationship--b69905bd-6865-4092-9543-47bd9ae318ec.json index f86629e531..ff541751cd 100644 --- a/ics-attack/relationship/relationship--b69905bd-6865-4092-9543-47bd9ae318ec.json +++ b/ics-attack/relationship/relationship--b69905bd-6865-4092-9543-47bd9ae318ec.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e484d49a-5547-40d2-badc-abe6f5761569", + "id": "bundle--6e52ae8e-341a-4e1d-95fe-9863d9c1e32e", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--b69905bd-6865-4092-9543-47bd9ae318ec", "created": "2023-09-28T19:54:22.618Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:20.999Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--b69f31c3-6c12-4b81-8e74-9c58ea635fa4.json b/ics-attack/relationship/relationship--b69f31c3-6c12-4b81-8e74-9c58ea635fa4.json index 7a2d56d629..daa265d165 100644 --- a/ics-attack/relationship/relationship--b69f31c3-6c12-4b81-8e74-9c58ea635fa4.json +++ b/ics-attack/relationship/relationship--b69f31c3-6c12-4b81-8e74-9c58ea635fa4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8ef324df-0c35-4db9-8ffd-ff9e9678a22d", + "id": "bundle--3d16ac36-f455-4a0d-80e0-c0fb1982223f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b6a51a26-94fd-419f-b0c1-cc61e02e1475.json b/ics-attack/relationship/relationship--b6a51a26-94fd-419f-b0c1-cc61e02e1475.json index 4b5c13b9f6..0a50cf3c08 100644 --- a/ics-attack/relationship/relationship--b6a51a26-94fd-419f-b0c1-cc61e02e1475.json +++ b/ics-attack/relationship/relationship--b6a51a26-94fd-419f-b0c1-cc61e02e1475.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1414b27c-7d38-441c-8388-325618a72e37", + "id": "bundle--980263ad-852b-474f-83d0-c19273d1f335", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--b6a51a26-94fd-419f-b0c1-cc61e02e1475", "created": "2025-09-24T18:14:21.405Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--b6f48e41-f7a9-45ca-b445-9e262dd307a2.json b/ics-attack/relationship/relationship--b6f48e41-f7a9-45ca-b445-9e262dd307a2.json index 3b699aee12..2a10b89255 100644 --- a/ics-attack/relationship/relationship--b6f48e41-f7a9-45ca-b445-9e262dd307a2.json +++ b/ics-attack/relationship/relationship--b6f48e41-f7a9-45ca-b445-9e262dd307a2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4a774593-5879-40a2-975f-fb31b81ae47e", + "id": "bundle--9cdb4f61-317f-4457-9cd9-be79ce3bc46f", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--b6f48e41-f7a9-45ca-b445-9e262dd307a2", "created": "2025-09-29T19:54:47.976Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--b720b42c-5eba-4164-9c3d-8b4eabde4716.json b/ics-attack/relationship/relationship--b720b42c-5eba-4164-9c3d-8b4eabde4716.json index a4236b10ac..779d1d131b 100644 --- a/ics-attack/relationship/relationship--b720b42c-5eba-4164-9c3d-8b4eabde4716.json +++ b/ics-attack/relationship/relationship--b720b42c-5eba-4164-9c3d-8b4eabde4716.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c4530ce1-4917-431b-a8d9-862f58ebb140", + "id": "bundle--b1726800-be80-4afd-8faf-4d0ce656ea3d", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--194cb4dd-81ca-4e64-94e2-911fab1219f9", "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", diff --git a/ics-attack/relationship/relationship--b7284360-0d80-45bb-8486-263ae8f8fa63.json b/ics-attack/relationship/relationship--b7284360-0d80-45bb-8486-263ae8f8fa63.json index 373cff0bce..d80343c220 100644 --- a/ics-attack/relationship/relationship--b7284360-0d80-45bb-8486-263ae8f8fa63.json +++ b/ics-attack/relationship/relationship--b7284360-0d80-45bb-8486-263ae8f8fa63.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4c7f3b52-e789-4314-91da-369548442529", + "id": "bundle--a5a65a36-9d0c-45ef-81f8-6d3204d6c88a", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--b7284360-0d80-45bb-8486-263ae8f8fa63", "created": "2023-09-28T21:26:01.106Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:21.421Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--b72b7dfd-f134-4324-84b8-52ff13fc6b5c.json b/ics-attack/relationship/relationship--b72b7dfd-f134-4324-84b8-52ff13fc6b5c.json index 6bd1b66fe4..d09633886e 100644 --- a/ics-attack/relationship/relationship--b72b7dfd-f134-4324-84b8-52ff13fc6b5c.json +++ b/ics-attack/relationship/relationship--b72b7dfd-f134-4324-84b8-52ff13fc6b5c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--133272b1-c138-47f1-9c37-436250c584c0", + "id": "bundle--65ca8e2c-aa8f-48b8-92ca-f74149a1808d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b7344dfb-621b-4558-ab22-6c1f256ee746.json b/ics-attack/relationship/relationship--b7344dfb-621b-4558-ab22-6c1f256ee746.json index 63842c7817..150b812ca9 100644 --- a/ics-attack/relationship/relationship--b7344dfb-621b-4558-ab22-6c1f256ee746.json +++ b/ics-attack/relationship/relationship--b7344dfb-621b-4558-ab22-6c1f256ee746.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6a0ff582-5cae-4567-85a1-40f8f2bbe9f4", + "id": "bundle--268d70f6-5353-48a4-b32e-0b6236791aaf", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--b7344dfb-621b-4558-ab22-6c1f256ee746", "created": "2023-09-29T16:46:27.408Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:21.886Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--b774fcb4-43bf-4ff1-98c6-0a94838eacc2.json b/ics-attack/relationship/relationship--b774fcb4-43bf-4ff1-98c6-0a94838eacc2.json index b1ff0de7c6..03185bc624 100644 --- a/ics-attack/relationship/relationship--b774fcb4-43bf-4ff1-98c6-0a94838eacc2.json +++ b/ics-attack/relationship/relationship--b774fcb4-43bf-4ff1-98c6-0a94838eacc2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--24e42d5c-7444-4ad3-8d26-5569a0a37791", + "id": "bundle--55b1a6e6-a3c6-4427-ab48-798c13b6a51b", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--b774fcb4-43bf-4ff1-98c6-0a94838eacc2", "created": "2023-09-29T18:57:10.064Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:22.081Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", diff --git a/ics-attack/relationship/relationship--b7943cdb-1a6b-46cf-aebe-8282fd86c357.json b/ics-attack/relationship/relationship--b7943cdb-1a6b-46cf-aebe-8282fd86c357.json index 0f8dc6818c..eb1f7d4d9e 100644 --- a/ics-attack/relationship/relationship--b7943cdb-1a6b-46cf-aebe-8282fd86c357.json +++ b/ics-attack/relationship/relationship--b7943cdb-1a6b-46cf-aebe-8282fd86c357.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b8e44f21-2398-4c94-92ae-a3ef97b9878e", + "id": "bundle--7ece656a-c0f9-4caf-834a-e24bc5c323e2", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--b7943cdb-1a6b-46cf-aebe-8282fd86c357", "created": "2025-09-24T18:04:00.774Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--9c0db354-c2d6-4db0-bb76-35ae66c01dd1.json b/ics-attack/relationship/relationship--b7a32080-49ce-432f-8b75-abd944be4e82.json similarity index 71% rename from ics-attack/relationship/relationship--9c0db354-c2d6-4db0-bb76-35ae66c01dd1.json rename to ics-attack/relationship/relationship--b7a32080-49ce-432f-8b75-abd944be4e82.json index 0dfe173a6e..f74366ef61 100644 --- a/ics-attack/relationship/relationship--9c0db354-c2d6-4db0-bb76-35ae66c01dd1.json +++ b/ics-attack/relationship/relationship--b7a32080-49ce-432f-8b75-abd944be4e82.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--58f0d36c-4e0a-43cd-900c-4e92b799fd51", + "id": "bundle--343d416c-dde6-4ae7-b844-b8f397f61f36", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--9c0db354-c2d6-4db0-bb76-35ae66c01dd1", + "id": "relationship--b7a32080-49ce-432f-8b75-abd944be4e82", "created": "2023-09-28T20:11:52.625Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:49.669Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "source_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b7a9bff5-2e15-4d3d-ac88-84af1239a586.json b/ics-attack/relationship/relationship--b7a9bff5-2e15-4d3d-ac88-84af1239a586.json index dbfeb20843..58bb564f51 100644 --- a/ics-attack/relationship/relationship--b7a9bff5-2e15-4d3d-ac88-84af1239a586.json +++ b/ics-attack/relationship/relationship--b7a9bff5-2e15-4d3d-ac88-84af1239a586.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cdf59db4-2fc8-405b-a6c6-3add8401b028", + "id": "bundle--a015cad1-12fb-4575-a242-a32829e428db", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--b7a9bff5-2e15-4d3d-ac88-84af1239a586", "created": "2023-09-28T19:51:42.728Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:22.505Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--b7f23af2-e948-4531-af56-1a1b4d03702f.json b/ics-attack/relationship/relationship--b7f23af2-e948-4531-af56-1a1b4d03702f.json index d330dd18d8..c349e3f00a 100644 --- a/ics-attack/relationship/relationship--b7f23af2-e948-4531-af56-1a1b4d03702f.json +++ b/ics-attack/relationship/relationship--b7f23af2-e948-4531-af56-1a1b4d03702f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--331dd8ee-2b37-4ede-b9ef-c7f0efadc934", + "id": "bundle--f71f11ff-0f0e-4dcd-a4df-f6d9893774fe", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b84e1473-f370-42ad-ac3b-7caf3c8cd00e.json b/ics-attack/relationship/relationship--b84e1473-f370-42ad-ac3b-7caf3c8cd00e.json index a125a64a03..3d8ac42087 100644 --- a/ics-attack/relationship/relationship--b84e1473-f370-42ad-ac3b-7caf3c8cd00e.json +++ b/ics-attack/relationship/relationship--b84e1473-f370-42ad-ac3b-7caf3c8cd00e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--72154e45-e41b-44d5-8dda-b8bc238bb30a", + "id": "bundle--82491e18-62a7-4bfd-8c0f-79cdf6bfd84e", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--b84e1473-f370-42ad-ac3b-7caf3c8cd00e", "created": "2023-09-29T18:42:53.573Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:22.938Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--b8c33196-8fc2-4855-b764-cd49554f0223.json b/ics-attack/relationship/relationship--b8c33196-8fc2-4855-b764-cd49554f0223.json new file mode 100644 index 0000000000..3e23a519a2 --- /dev/null +++ b/ics-attack/relationship/relationship--b8c33196-8fc2-4855-b764-cd49554f0223.json @@ -0,0 +1,52 @@ +{ + "type": "bundle", + "id": "bundle--44a3e337-4545-4696-9a3f-769a42c4caa2", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--b8c33196-8fc2-4855-b764-cd49554f0223", + "created": "2026-04-22T20:28:21.888Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Aditya K Sood July 2019", + "description": "Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25 ", + "url": "https://www.helpnetsecurity.com/2019/07/10/bacnet-devices/" + }, + { + "source_name": "Colin Gray", + "description": "Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25 ", + "url": "https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6891_HowSDN_CG_20180720_Web2.pdf?v=20190312-231901" + }, + { + "source_name": "D. Parsons and D. Wylie September 2019", + "description": "D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 ", + "url": "https://www.csiac.org/journal-article/practical-industrial-control-system-ics-cybersecurity-it-and-ot-have-converged-discover-and-defend-your-assets/" + }, + { + "source_name": "Josh Rinaldi April 2016", + "description": "Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25 ", + "url": "https://www.rtautomation.com/rtas-blog/still-a-thrill-opc-ua-device-discovery/" + }, + { + "source_name": "Langner November 2018", + "description": "Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25 ", + "url": "https://www.langner.com/2018/11/why-ethernet-ip-changes-the-ot-asset-discovery-game/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:44:25.851Z", + "description": "ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols.(Citation: D. Parsons and D. Wylie September 2019)(Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery(Citation: Josh Rinaldi April 2016), BACnet(Citation: Aditya K Sood July 2019), and Ethernet/IP.(Citation: Langner November 2018)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3dde2b07-7c30-4a18-a9df-f85db84f9b14.json b/ics-attack/relationship/relationship--b8ce3f0c-7c11-4846-b567-a5d4233b0e6e.json similarity index 76% rename from ics-attack/relationship/relationship--3dde2b07-7c30-4a18-a9df-f85db84f9b14.json rename to ics-attack/relationship/relationship--b8ce3f0c-7c11-4846-b567-a5d4233b0e6e.json index 4cb34824a4..93445199d4 100644 --- a/ics-attack/relationship/relationship--3dde2b07-7c30-4a18-a9df-f85db84f9b14.json +++ b/ics-attack/relationship/relationship--b8ce3f0c-7c11-4846-b567-a5d4233b0e6e.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--aab3a8d2-47f4-4ab5-a538-2f27452eccaf", + "id": "bundle--b65669e3-c796-4483-9bb8-12b633981c75", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--3dde2b07-7c30-4a18-a9df-f85db84f9b14", + "id": "relationship--b8ce3f0c-7c11-4846-b567-a5d4233b0e6e", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "Department of Homeland Security September 2016", @@ -18,14 +19,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:25:13.443Z", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "modified": "2026-04-23T19:13:00.762Z", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.(Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58.json b/ics-attack/relationship/relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58.json index 14a13b59b8..ec941aead7 100644 --- a/ics-attack/relationship/relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58.json +++ b/ics-attack/relationship/relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6373c9bd-0459-4eb9-bd4b-be7da494f352", + "id": "bundle--93aef1fa-0c93-4e64-8a54-eb2ae5963435", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Department of Homeland Security October 2009", diff --git a/ics-attack/relationship/relationship--b8e71df0-20c4-42b0-8d80-68e93fc084c2.json b/ics-attack/relationship/relationship--b8e71df0-20c4-42b0-8d80-68e93fc084c2.json new file mode 100644 index 0000000000..d095582af0 --- /dev/null +++ b/ics-attack/relationship/relationship--b8e71df0-20c4-42b0-8d80-68e93fc084c2.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--a82908f8-f8b1-4e5c-9ab9-f71da414c951", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--b8e71df0-20c4-42b0-8d80-68e93fc084c2", + "created": "2026-04-22T20:13:51.408Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:20:39.685Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used default credentials to access Hitatchi RTUs, Mikronika RTUs, Hitachi Relion Protection and Control Relays, Mikronika HMI Computers, and Moxa NPort Serial Device Servers.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd.json b/ics-attack/relationship/relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd.json index 50b9f789cd..a0c1eb1381 100644 --- a/ics-attack/relationship/relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd.json +++ b/ics-attack/relationship/relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2a56ccde-3743-48f8-8646-05ef5d4bbf56", + "id": "bundle--69be9619-ef6a-47be-845b-7c03d4d32777", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b8f6d6a8-e668-4596-8ec2-41c5d1bd211d.json b/ics-attack/relationship/relationship--b8f6d6a8-e668-4596-8ec2-41c5d1bd211d.json index ac503183e5..1b43f19d45 100644 --- a/ics-attack/relationship/relationship--b8f6d6a8-e668-4596-8ec2-41c5d1bd211d.json +++ b/ics-attack/relationship/relationship--b8f6d6a8-e668-4596-8ec2-41c5d1bd211d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--54ad0061-4947-4104-9e6e-3538b43a1b5f", + "id": "bundle--79745917-96cb-41c1-933c-c2ef24114e70", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--eac205a6-271b-4a86-acf3-6f4ddefb82c4.json b/ics-attack/relationship/relationship--b9608e90-25f7-4a0a-b621-5512827ac169.json similarity index 71% rename from ics-attack/relationship/relationship--eac205a6-271b-4a86-acf3-6f4ddefb82c4.json rename to ics-attack/relationship/relationship--b9608e90-25f7-4a0a-b621-5512827ac169.json index 67b6627a22..5f91b27283 100644 --- a/ics-attack/relationship/relationship--eac205a6-271b-4a86-acf3-6f4ddefb82c4.json +++ b/ics-attack/relationship/relationship--b9608e90-25f7-4a0a-b621-5512827ac169.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--8ed3f8f1-4f0d-4012-8b53-f0766955bab0", + "id": "bundle--20272a18-eb7d-4027-ab28-e7d4e0a45733", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--eac205a6-271b-4a86-acf3-6f4ddefb82c4", + "id": "relationship--b9608e90-25f7-4a0a-b621-5512827ac169", "created": "2023-09-29T17:38:59.611Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:16.312Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b9632b4d-43c3-4bfa-88e0-629245acb8eb.json b/ics-attack/relationship/relationship--b9632b4d-43c3-4bfa-88e0-629245acb8eb.json index 6ce30b4800..beed6fec42 100644 --- a/ics-attack/relationship/relationship--b9632b4d-43c3-4bfa-88e0-629245acb8eb.json +++ b/ics-attack/relationship/relationship--b9632b4d-43c3-4bfa-88e0-629245acb8eb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--149285a1-82dc-4ca4-9d66-9c8cab1780dd", + "id": "bundle--a20f6b1e-51f2-4c26-84d0-0b1b02649a17", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b9a1e946-4ece-48f3-949c-e1c2d39136fe.json b/ics-attack/relationship/relationship--b9a1e946-4ece-48f3-949c-e1c2d39136fe.json index 33c662613d..cbacbae8d4 100644 --- a/ics-attack/relationship/relationship--b9a1e946-4ece-48f3-949c-e1c2d39136fe.json +++ b/ics-attack/relationship/relationship--b9a1e946-4ece-48f3-949c-e1c2d39136fe.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--93bd5fc0-2f36-4dee-9805-49f9c894fc23", + "id": "bundle--733fe521-8ad7-4658-8347-1f2a7b0ed382", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--b9a1e946-4ece-48f3-949c-e1c2d39136fe", "created": "2025-09-29T19:14:59.837Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--5c0bdf4c-233f-42cd-8900-2a5cc8c9387c.json b/ics-attack/relationship/relationship--b9b45f7a-742f-4b72-bdee-577ceb539499.json similarity index 73% rename from ics-attack/relationship/relationship--5c0bdf4c-233f-42cd-8900-2a5cc8c9387c.json rename to ics-attack/relationship/relationship--b9b45f7a-742f-4b72-bdee-577ceb539499.json index 791357447e..59ba085df8 100644 --- a/ics-attack/relationship/relationship--5c0bdf4c-233f-42cd-8900-2a5cc8c9387c.json +++ b/ics-attack/relationship/relationship--b9b45f7a-742f-4b72-bdee-577ceb539499.json @@ -1,12 +1,12 @@ { "type": "bundle", - "id": "bundle--a554dc4a-2281-47be-b79a-10ee9a022d63", + "id": "bundle--5cea1c19-b278-4cb2-bb61-15ac845a8419", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--5c0bdf4c-233f-42cd-8900-2a5cc8c9387c", - "created": "2018-10-17T00:14:20.652Z", + "id": "relationship--b9b45f7a-742f-4b72-bdee-577ceb539499", + "created": "2026-04-23T14:16:22.262Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ @@ -19,14 +19,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:02:36.747Z", - "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", + "modified": "2026-04-23T18:46:02.040Z", + "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102.(Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", "relationship_type": "uses", "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", - "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "target_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b9e82422-b072-494f-99c1-fcab07b90133.json b/ics-attack/relationship/relationship--b9e82422-b072-494f-99c1-fcab07b90133.json index 03ebc9df30..e384319c8c 100644 --- a/ics-attack/relationship/relationship--b9e82422-b072-494f-99c1-fcab07b90133.json +++ b/ics-attack/relationship/relationship--b9e82422-b072-494f-99c1-fcab07b90133.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b5948c78-b566-40c7-b610-a8b697982fe1", + "id": "bundle--0dfdabf5-ec34-474f-a55c-7866fe4750d2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ba010007-6dde-4c9d-8452-69527cd1c2ba.json b/ics-attack/relationship/relationship--ba010007-6dde-4c9d-8452-69527cd1c2ba.json index a211876e9b..d66b22e076 100644 --- a/ics-attack/relationship/relationship--ba010007-6dde-4c9d-8452-69527cd1c2ba.json +++ b/ics-attack/relationship/relationship--ba010007-6dde-4c9d-8452-69527cd1c2ba.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c6f6c098-417a-485a-a957-995eae6285b7", + "id": "bundle--cc628e56-8a9f-44ea-b8c3-7860a8ea8b33", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ba24af7b-dd2f-4c21-9ec5-27758b88da9b.json b/ics-attack/relationship/relationship--ba24af7b-dd2f-4c21-9ec5-27758b88da9b.json index d95929b206..da1e8eec3c 100644 --- a/ics-attack/relationship/relationship--ba24af7b-dd2f-4c21-9ec5-27758b88da9b.json +++ b/ics-attack/relationship/relationship--ba24af7b-dd2f-4c21-9ec5-27758b88da9b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eaedad60-7630-4656-862c-0c724a77cc74", + "id": "bundle--4ba46de4-8b41-4049-92ec-8d955643ad95", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--ba24af7b-dd2f-4c21-9ec5-27758b88da9b", "created": "2025-09-29T19:57:16.248Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--ba394cbc-461d-44cc-8fa5-92f11a5c8e6b.json b/ics-attack/relationship/relationship--ba394cbc-461d-44cc-8fa5-92f11a5c8e6b.json new file mode 100644 index 0000000000..f0d14e4f73 --- /dev/null +++ b/ics-attack/relationship/relationship--ba394cbc-461d-44cc-8fa5-92f11a5c8e6b.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--48413a90-07e6-40e7-8382-561b2ecc20c2", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ba394cbc-461d-44cc-8fa5-92f11a5c8e6b", + "created": "2026-04-22T18:53:03.069Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T18:53:03.069Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--6bdde391-76eb-4bd7-9e19-e805ab98b7ac", + "target_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ba496af3-2d99-4c2b-8ce0-20388f5d632c.json b/ics-attack/relationship/relationship--ba496af3-2d99-4c2b-8ce0-20388f5d632c.json index 133373b741..1047d89e3d 100644 --- a/ics-attack/relationship/relationship--ba496af3-2d99-4c2b-8ce0-20388f5d632c.json +++ b/ics-attack/relationship/relationship--ba496af3-2d99-4c2b-8ce0-20388f5d632c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3f286101-f517-432d-acb8-ad692f9a1f25", + "id": "bundle--033a08a0-972a-439e-9764-1c9006dd6d56", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--ba496af3-2d99-4c2b-8ce0-20388f5d632c", "created": "2023-09-28T21:28:36.325Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:25.010Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--0cab29c6-d196-47b0-8621-10ac3c8a95d8.json b/ics-attack/relationship/relationship--ba49c0ad-293e-46c3-a0f9-30a25dba415a.json similarity index 71% rename from ics-attack/relationship/relationship--0cab29c6-d196-47b0-8621-10ac3c8a95d8.json rename to ics-attack/relationship/relationship--ba49c0ad-293e-46c3-a0f9-30a25dba415a.json index b802936a92..88ee7eac5d 100644 --- a/ics-attack/relationship/relationship--0cab29c6-d196-47b0-8621-10ac3c8a95d8.json +++ b/ics-attack/relationship/relationship--ba49c0ad-293e-46c3-a0f9-30a25dba415a.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--58672006-f2c9-45f9-8473-9dcc3cbd8dc7", + "id": "bundle--af278f1b-9b04-4529-9aa5-5ddc76ea6db6", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--0cab29c6-d196-47b0-8621-10ac3c8a95d8", + "id": "relationship--ba49c0ad-293e-46c3-a0f9-30a25dba415a", "created": "2023-09-28T19:51:27.775Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:03.908Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ba943eeb-5673-44b5-acbf-1cddc2fefb1a.json b/ics-attack/relationship/relationship--ba943eeb-5673-44b5-acbf-1cddc2fefb1a.json index fd624bcd7e..3603ebc12f 100644 --- a/ics-attack/relationship/relationship--ba943eeb-5673-44b5-acbf-1cddc2fefb1a.json +++ b/ics-attack/relationship/relationship--ba943eeb-5673-44b5-acbf-1cddc2fefb1a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a1c51740-6dca-4307-b9ac-6d71e8986e10", + "id": "bundle--cc542e2d-2fce-49ea-820e-cc6fe05766fa", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--ba943eeb-5673-44b5-acbf-1cddc2fefb1a", "created": "2023-09-28T20:03:54.209Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:25.206Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--57510758-786a-4f0a-aab2-101eaf4e7b9f.json b/ics-attack/relationship/relationship--ba9ebebf-d5dd-4a5c-b44f-a07cc3ccac8b.json similarity index 85% rename from ics-attack/relationship/relationship--57510758-786a-4f0a-aab2-101eaf4e7b9f.json rename to ics-attack/relationship/relationship--ba9ebebf-d5dd-4a5c-b44f-a07cc3ccac8b.json index 75096b8874..c3323f2156 100644 --- a/ics-attack/relationship/relationship--57510758-786a-4f0a-aab2-101eaf4e7b9f.json +++ b/ics-attack/relationship/relationship--ba9ebebf-d5dd-4a5c-b44f-a07cc3ccac8b.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--f154d903-8350-4525-8c2f-4d3e10bf4345", + "id": "bundle--27fa5056-d2f7-43a2-9537-16bfbd816332", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--57510758-786a-4f0a-aab2-101eaf4e7b9f", + "id": "relationship--ba9ebebf-d5dd-4a5c-b44f-a07cc3ccac8b", "created": "2023-09-27T14:48:05.715Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -23,10 +23,10 @@ "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked command messages by using malicious firmware to render serial-to-ethernet converters inoperable. (Citation: Ukraine15 - EISAC - 201603)", "relationship_type": "uses", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "target_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--bac1f95c-87bf-4939-bc1a-7727aad738f7.json b/ics-attack/relationship/relationship--bac1f95c-87bf-4939-bc1a-7727aad738f7.json index a06186cfba..e15ac9f3ff 100644 --- a/ics-attack/relationship/relationship--bac1f95c-87bf-4939-bc1a-7727aad738f7.json +++ b/ics-attack/relationship/relationship--bac1f95c-87bf-4939-bc1a-7727aad738f7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ee0dc3c5-8aa7-4f92-a8bf-f89ae82ed7cb", + "id": "bundle--357a3146-2f67-48a3-b91c-42e437a3477e", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--bac1f95c-87bf-4939-bc1a-7727aad738f7", "created": "2023-09-29T18:49:34.208Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:25.429Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--bad056aa-b8a6-4c4c-9bfa-bcc518872341.json b/ics-attack/relationship/relationship--bad056aa-b8a6-4c4c-9bfa-bcc518872341.json index 90c8dcf065..d074161f41 100644 --- a/ics-attack/relationship/relationship--bad056aa-b8a6-4c4c-9bfa-bcc518872341.json +++ b/ics-attack/relationship/relationship--bad056aa-b8a6-4c4c-9bfa-bcc518872341.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bd704a4e-6fc7-4921-9f2e-5a353a0b19f2", + "id": "bundle--ef3ecdf8-1f8c-428c-b0b4-fc8f668c089c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--bad056aa-b8a6-4c4c-9bfa-bcc518872341", "created": "2024-03-25T20:17:36.433Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:25.662Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--badf753a-349e-4a3c-a425-b12efd65d856.json b/ics-attack/relationship/relationship--badf753a-349e-4a3c-a425-b12efd65d856.json new file mode 100644 index 0000000000..585d4a2f1c --- /dev/null +++ b/ics-attack/relationship/relationship--badf753a-349e-4a3c-a425-b12efd65d856.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--72fff0da-5fce-47d8-9425-d3afd47ce638", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--badf753a-349e-4a3c-a425-b12efd65d856", + "created": "2026-04-20T20:58:44.598Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:58:44.598Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--baf4bd30-4213-43c3-b70c-54418e734caf.json b/ics-attack/relationship/relationship--baf4bd30-4213-43c3-b70c-54418e734caf.json index 9c6464249e..70d610d444 100644 --- a/ics-attack/relationship/relationship--baf4bd30-4213-43c3-b70c-54418e734caf.json +++ b/ics-attack/relationship/relationship--baf4bd30-4213-43c3-b70c-54418e734caf.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--24f212d4-8e16-44cf-88f8-2e9e1657c167", + "id": "bundle--8decb4e5-96ad-418b-97d0-951dc61a8957", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--baf7daf3-2116-4051-91b5-f82e146167d0.json b/ics-attack/relationship/relationship--baf7daf3-2116-4051-91b5-f82e146167d0.json index 37a6156b9c..57eb148b2d 100644 --- a/ics-attack/relationship/relationship--baf7daf3-2116-4051-91b5-f82e146167d0.json +++ b/ics-attack/relationship/relationship--baf7daf3-2116-4051-91b5-f82e146167d0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1c1b7955-651e-49b4-aba6-c1915e5f306b", + "id": "bundle--fbf1e971-2727-46c9-9630-3b643820db01", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--bb3938a6-85ec-4f34-8bcd-6051de7e9259.json b/ics-attack/relationship/relationship--bb3938a6-85ec-4f34-8bcd-6051de7e9259.json index 06a590129d..5dfba4f54a 100644 --- a/ics-attack/relationship/relationship--bb3938a6-85ec-4f34-8bcd-6051de7e9259.json +++ b/ics-attack/relationship/relationship--bb3938a6-85ec-4f34-8bcd-6051de7e9259.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a2f980c9-4372-4962-ab11-b0dcc6baacdb", + "id": "bundle--9eccc1b8-0c67-43ad-bb44-f9decebddd55", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--bb3938a6-85ec-4f34-8bcd-6051de7e9259", "created": "2023-09-29T16:45:08.209Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:26.310Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--bbbbad6d-fc22-4f87-92e6-445f05e08e39.json b/ics-attack/relationship/relationship--bbbbad6d-fc22-4f87-92e6-445f05e08e39.json new file mode 100644 index 0000000000..de355cd153 --- /dev/null +++ b/ics-attack/relationship/relationship--bbbbad6d-fc22-4f87-92e6-445f05e08e39.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--f358c910-6605-4ce7-9619-601b8159e71f", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--bbbbad6d-fc22-4f87-92e6-445f05e08e39", + "created": "2026-04-22T21:40:21.108Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:40:21.108Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--bbeb2eae-7da2-4477-ad8e-8c67b00c53bc.json b/ics-attack/relationship/relationship--bbeb2eae-7da2-4477-ad8e-8c67b00c53bc.json index b3aa428411..0c7f706983 100644 --- a/ics-attack/relationship/relationship--bbeb2eae-7da2-4477-ad8e-8c67b00c53bc.json +++ b/ics-attack/relationship/relationship--bbeb2eae-7da2-4477-ad8e-8c67b00c53bc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cdb11db5-e04a-44d8-90d8-18f7c3871ef2", + "id": "bundle--c85bfb81-a3a9-4a7c-b639-69cdebcd99fc", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--bbeb2eae-7da2-4477-ad8e-8c67b00c53bc", "created": "2023-09-28T19:53:44.848Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:26.525Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9.json b/ics-attack/relationship/relationship--bc0e4ff7-ed61-41c0-84ca-66210241c9ce.json similarity index 76% rename from ics-attack/relationship/relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9.json rename to ics-attack/relationship/relationship--bc0e4ff7-ed61-41c0-84ca-66210241c9ce.json index d8b8ecbff0..ce2e149288 100644 --- a/ics-attack/relationship/relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9.json +++ b/ics-attack/relationship/relationship--bc0e4ff7-ed61-41c0-84ca-66210241c9ce.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--645810dc-01f0-43ed-a4b5-8aefbd1db8c8", + "id": "bundle--0c78a0df-782e-4961-b50b-5086791dd694", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9", + "id": "relationship--bc0e4ff7-ed61-41c0-84ca-66210241c9ce", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "Department of Homeland Security September 2016", @@ -18,14 +19,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:27:20.209Z", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "modified": "2026-04-23T19:00:06.758Z", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.(Citation: Department of Homeland Security September 2016)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--bc3744d6-9275-4d91-8888-16d5f4d5187b.json b/ics-attack/relationship/relationship--bc3744d6-9275-4d91-8888-16d5f4d5187b.json index b17b4d500f..8c6dd45101 100644 --- a/ics-attack/relationship/relationship--bc3744d6-9275-4d91-8888-16d5f4d5187b.json +++ b/ics-attack/relationship/relationship--bc3744d6-9275-4d91-8888-16d5f4d5187b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--073e57c9-06ef-4036-9b02-913af411c44c", + "id": "bundle--9c461c63-e72a-4d02-bd23-287b36954009", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--bc383819-2e40-49b4-bea9-95eb5d418877.json b/ics-attack/relationship/relationship--bc383819-2e40-49b4-bea9-95eb5d418877.json index 3e029a46dd..1e1a41bc4a 100644 --- a/ics-attack/relationship/relationship--bc383819-2e40-49b4-bea9-95eb5d418877.json +++ b/ics-attack/relationship/relationship--bc383819-2e40-49b4-bea9-95eb5d418877.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b2ed915c-241b-464a-9607-ff92269d23db", + "id": "bundle--7e8a5f3a-c98d-464f-a0cb-bf0f5d3fa8c2", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--bc383819-2e40-49b4-bea9-95eb5d418877", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", diff --git a/ics-attack/relationship/relationship--bc3a0b1f-f0ec-466f-8cad-8f47b07764c9.json b/ics-attack/relationship/relationship--bc3a0b1f-f0ec-466f-8cad-8f47b07764c9.json index c61266f778..f47b887820 100644 --- a/ics-attack/relationship/relationship--bc3a0b1f-f0ec-466f-8cad-8f47b07764c9.json +++ b/ics-attack/relationship/relationship--bc3a0b1f-f0ec-466f-8cad-8f47b07764c9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d51e9dd9-b9b6-40a8-b950-e099e1e2d7cf", + "id": "bundle--6673054d-cefd-4405-97c3-c8c49e62975d", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--bc3a0b1f-f0ec-466f-8cad-8f47b07764c9", "created": "2023-09-28T21:22:21.776Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:27.370Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a.json b/ics-attack/relationship/relationship--bc51e6c7-6211-4124-874d-4a5aea2efce0.json similarity index 83% rename from ics-attack/relationship/relationship--9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a.json rename to ics-attack/relationship/relationship--bc51e6c7-6211-4124-874d-4a5aea2efce0.json index 9aad98640a..4010c50d0b 100644 --- a/ics-attack/relationship/relationship--9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a.json +++ b/ics-attack/relationship/relationship--bc51e6c7-6211-4124-874d-4a5aea2efce0.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--c71a38b8-6bb5-4dea-8163-586231f39d2c", + "id": "bundle--b655e0c4-ff75-4bb2-aad6-a9318f6c5fda", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a", + "id": "relationship--bc51e6c7-6211-4124-874d-4a5aea2efce0", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -23,10 +23,10 @@ "description": "Using its protocol payloads, [Industroyer](https://attack.mitre.org/software/S0604) sends unauthorized commands to RTUs to change the state of equipment. (Citation: Anton Cherepanov, ESET June 2017)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--edfa4bcb-6304-42df-b7c6-8caf480c66f2.json b/ics-attack/relationship/relationship--bc6f2a51-9307-4268-a6d6-51c02ae893fd.json similarity index 71% rename from ics-attack/relationship/relationship--edfa4bcb-6304-42df-b7c6-8caf480c66f2.json rename to ics-attack/relationship/relationship--bc6f2a51-9307-4268-a6d6-51c02ae893fd.json index 891a9bfd16..87ec030b25 100644 --- a/ics-attack/relationship/relationship--edfa4bcb-6304-42df-b7c6-8caf480c66f2.json +++ b/ics-attack/relationship/relationship--bc6f2a51-9307-4268-a6d6-51c02ae893fd.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--68bbaa26-b5ec-46ca-9448-6477535880fd", + "id": "bundle--08e3c529-cbd9-43ff-8c9e-16df3b60600c", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--edfa4bcb-6304-42df-b7c6-8caf480c66f2", + "id": "relationship--bc6f2a51-9307-4268-a6d6-51c02ae893fd", "created": "2023-09-29T17:58:04.082Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:21.474Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3.json b/ics-attack/relationship/relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3.json index 299aa0084b..4fa17b2a0f 100644 --- a/ics-attack/relationship/relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3.json +++ b/ics-attack/relationship/relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b1a0a243-e811-4835-b5ea-af0d4e8c1145", + "id": "bundle--f424930b-8949-4f9e-b594-2cd7bd360a38", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--bcece7ce-91b5-40b3-b87a-25cab3600e5c.json b/ics-attack/relationship/relationship--bcece7ce-91b5-40b3-b87a-25cab3600e5c.json index fbdbcc2046..99cd111a19 100644 --- a/ics-attack/relationship/relationship--bcece7ce-91b5-40b3-b87a-25cab3600e5c.json +++ b/ics-attack/relationship/relationship--bcece7ce-91b5-40b3-b87a-25cab3600e5c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d0f87fdc-6df2-4980-9495-9daac79c0d9b", + "id": "bundle--c4186302-a314-4ff5-a228-89f97a6607bb", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--bcece7ce-91b5-40b3-b87a-25cab3600e5c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", diff --git a/ics-attack/relationship/relationship--bd16f422-4869-49f8-9b86-16220e857c9b.json b/ics-attack/relationship/relationship--bd16f422-4869-49f8-9b86-16220e857c9b.json index 889ed1969e..8d7f5d6668 100644 --- a/ics-attack/relationship/relationship--bd16f422-4869-49f8-9b86-16220e857c9b.json +++ b/ics-attack/relationship/relationship--bd16f422-4869-49f8-9b86-16220e857c9b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0f8da466-848f-415c-ad17-e09992d5eee4", + "id": "bundle--10fd1d91-d71e-4aa5-98ca-57f9307cb367", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--bd16f422-4869-49f8-9b86-16220e857c9b", "created": "2025-09-29T22:07:11.671Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--bd2ee84f-349c-4a89-b224-d48269bd9b0a.json b/ics-attack/relationship/relationship--bd2ee84f-349c-4a89-b224-d48269bd9b0a.json new file mode 100644 index 0000000000..e20d46204c --- /dev/null +++ b/ics-attack/relationship/relationship--bd2ee84f-349c-4a89-b224-d48269bd9b0a.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--81dfa851-e1e7-4782-a95b-fe9757d9f3b4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--bd2ee84f-349c-4a89-b224-d48269bd9b0a", + "created": "2026-04-22T22:47:25.522Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:47:25.522Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--bd639f3c-0887-49a6-9274-37e1e2d24808.json b/ics-attack/relationship/relationship--bd639f3c-0887-49a6-9274-37e1e2d24808.json index ff7e5ddc3b..91ff297b03 100644 --- a/ics-attack/relationship/relationship--bd639f3c-0887-49a6-9274-37e1e2d24808.json +++ b/ics-attack/relationship/relationship--bd639f3c-0887-49a6-9274-37e1e2d24808.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8c472e79-8e77-4fa0-9ea7-49f297c508f9", + "id": "bundle--69898242-0bee-4bcc-bd37-e71233ff6a4e", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--bd639f3c-0887-49a6-9274-37e1e2d24808", "created": "2025-09-24T18:21:25.236Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--bd7509cc-a7e5-4e29-b615-225dfbdd3c4a.json b/ics-attack/relationship/relationship--bd7509cc-a7e5-4e29-b615-225dfbdd3c4a.json index fe88a072ee..ec43cf91f2 100644 --- a/ics-attack/relationship/relationship--bd7509cc-a7e5-4e29-b615-225dfbdd3c4a.json +++ b/ics-attack/relationship/relationship--bd7509cc-a7e5-4e29-b615-225dfbdd3c4a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a8e9984c-bdf0-48c9-ad3d-6b0b8b4c0e47", + "id": "bundle--2bb30281-7817-46a2-bd16-71011d2d3c07", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--bd7509cc-a7e5-4e29-b615-225dfbdd3c4a", "created": "2023-09-28T21:16:24.310Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:28.188Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--bd7bd67c-f636-481f-a301-7e8da69b5aef.json b/ics-attack/relationship/relationship--bd7bd67c-f636-481f-a301-7e8da69b5aef.json new file mode 100644 index 0000000000..a274bc6757 --- /dev/null +++ b/ics-attack/relationship/relationship--bd7bd67c-f636-481f-a301-7e8da69b5aef.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--dc2026f9-2b4a-4f2d-bbb8-71b68206d8b8", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--bd7bd67c-f636-481f-a301-7e8da69b5aef", + "created": "2026-04-22T18:58:48.061Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T18:58:48.061Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--bd869385-5778-4303-8993-cc6412d12303.json b/ics-attack/relationship/relationship--bd869385-5778-4303-8993-cc6412d12303.json index 911ee8cbb4..18bbd2c080 100644 --- a/ics-attack/relationship/relationship--bd869385-5778-4303-8993-cc6412d12303.json +++ b/ics-attack/relationship/relationship--bd869385-5778-4303-8993-cc6412d12303.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e0d82fba-edfb-465b-b00a-af0bf110b32b", + "id": "bundle--092e71cd-1171-44de-83d1-0775f2b5d05c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--bd869385-5778-4303-8993-cc6412d12303", "created": "2023-09-29T18:45:59.108Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:28.405Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--bda03e8d-5e06-4470-b786-11b11c7c97c7.json b/ics-attack/relationship/relationship--bda03e8d-5e06-4470-b786-11b11c7c97c7.json index dcf307703a..dc65559dac 100644 --- a/ics-attack/relationship/relationship--bda03e8d-5e06-4470-b786-11b11c7c97c7.json +++ b/ics-attack/relationship/relationship--bda03e8d-5e06-4470-b786-11b11c7c97c7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d0d653a2-2019-43a7-80da-817d4d602886", + "id": "bundle--c2af440b-3203-42e2-978b-cbf6d4d307e1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--bdae915d-64f8-4944-949c-59a4d35b70c5.json b/ics-attack/relationship/relationship--bdae915d-64f8-4944-949c-59a4d35b70c5.json new file mode 100644 index 0000000000..08b5858ed9 --- /dev/null +++ b/ics-attack/relationship/relationship--bdae915d-64f8-4944-949c-59a4d35b70c5.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--62cd0a85-a918-4762-bb10-251b586f36bf", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--bdae915d-64f8-4944-949c-59a4d35b70c5", + "created": "2026-04-22T20:26:28.411Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:26:28.411Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries damaged the Mikronika RTUs, Hitachi Relion Protection and Control Relays (IEDs), and HMI workstations resulting in a loss of communications and control between the facility and the distribution system operators (DSO).(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--bde941c6-2ca0-4f94-9336-027e7eee15a1.json b/ics-attack/relationship/relationship--bde941c6-2ca0-4f94-9336-027e7eee15a1.json index 8c528aa287..1a179e0019 100644 --- a/ics-attack/relationship/relationship--bde941c6-2ca0-4f94-9336-027e7eee15a1.json +++ b/ics-attack/relationship/relationship--bde941c6-2ca0-4f94-9336-027e7eee15a1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7e999689-b125-4df7-9057-eb95dfb422d7", + "id": "bundle--f5e916dd-a7c0-4ae5-ab60-ff0b69f500c9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--be0f7d83-2441-4259-b411-46e0d10566b1.json b/ics-attack/relationship/relationship--be0f7d83-2441-4259-b411-46e0d10566b1.json index cdefa77c76..a8d84f4ac9 100644 --- a/ics-attack/relationship/relationship--be0f7d83-2441-4259-b411-46e0d10566b1.json +++ b/ics-attack/relationship/relationship--be0f7d83-2441-4259-b411-46e0d10566b1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--08118b1e-b017-43dc-b485-3163bdc55b89", + "id": "bundle--42118221-570a-4deb-b9d7-ce7047d6a87a", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--be0f7d83-2441-4259-b411-46e0d10566b1", "created": "2023-10-02T20:23:24.179Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:29.045Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", diff --git a/ics-attack/relationship/relationship--be532c78-daf5-431b-adae-ab11af395513.json b/ics-attack/relationship/relationship--be532c78-daf5-431b-adae-ab11af395513.json index 1cc11a372a..d350951f7a 100644 --- a/ics-attack/relationship/relationship--be532c78-daf5-431b-adae-ab11af395513.json +++ b/ics-attack/relationship/relationship--be532c78-daf5-431b-adae-ab11af395513.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1a027812-74db-4d17-9896-96d637040460", + "id": "bundle--ba82c5dc-dbff-4bf4-aa7d-54ce7c710185", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--be532c78-daf5-431b-adae-ab11af395513", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", diff --git a/ics-attack/relationship/relationship--be950e87-80ac-49ea-810a-553c7f72151b.json b/ics-attack/relationship/relationship--be950e87-80ac-49ea-810a-553c7f72151b.json index afc3a11176..c3d1b0fcf3 100644 --- a/ics-attack/relationship/relationship--be950e87-80ac-49ea-810a-553c7f72151b.json +++ b/ics-attack/relationship/relationship--be950e87-80ac-49ea-810a-553c7f72151b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--739d56af-f3d6-418e-9617-ae2b89aa2454", + "id": "bundle--0de4d92c-f147-491e-9447-2e7bec751810", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--beb0c5be-2b81-4d8d-9d9f-35e496be4e0f.json b/ics-attack/relationship/relationship--beb0c5be-2b81-4d8d-9d9f-35e496be4e0f.json new file mode 100644 index 0000000000..25954df3e6 --- /dev/null +++ b/ics-attack/relationship/relationship--beb0c5be-2b81-4d8d-9d9f-35e496be4e0f.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--64014af1-95ba-4cf2-b711-c69bcfffd635", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--beb0c5be-2b81-4d8d-9d9f-35e496be4e0f", + "created": "2026-04-23T00:26:38.917Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:32:24.809Z", + "description": "Utilize code signatures to verify the integrity and authenticity of programs downloaded to the device.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--bf08412c-f1ab-4b48-956b-177ce2474a2e.json b/ics-attack/relationship/relationship--bf08412c-f1ab-4b48-956b-177ce2474a2e.json new file mode 100644 index 0000000000..6755ed9485 --- /dev/null +++ b/ics-attack/relationship/relationship--bf08412c-f1ab-4b48-956b-177ce2474a2e.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--46905717-cb39-4815-9af1-e4ad1f333ce5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--bf08412c-f1ab-4b48-956b-177ce2474a2e", + "created": "2026-04-22T22:35:15.009Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:35:15.009Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--bf0e7347-1636-4b5e-9e2a-8b93177e5f85.json b/ics-attack/relationship/relationship--bf0e7347-1636-4b5e-9e2a-8b93177e5f85.json index df5222400a..0ab7b03882 100644 --- a/ics-attack/relationship/relationship--bf0e7347-1636-4b5e-9e2a-8b93177e5f85.json +++ b/ics-attack/relationship/relationship--bf0e7347-1636-4b5e-9e2a-8b93177e5f85.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c15f76d1-f857-4d90-af7e-500b9f15a541", + "id": "bundle--86c73443-1865-40c2-be08-8d2b24ae7593", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--bf0e7347-1636-4b5e-9e2a-8b93177e5f85", "created": "2024-03-28T14:27:09.365Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "FireEye TRITON 2018", diff --git a/ics-attack/relationship/relationship--bf8f90a2-4d3a-436d-87d0-eff060fb2302.json b/ics-attack/relationship/relationship--bf8f90a2-4d3a-436d-87d0-eff060fb2302.json index 5825a85926..0dfd5ad100 100644 --- a/ics-attack/relationship/relationship--bf8f90a2-4d3a-436d-87d0-eff060fb2302.json +++ b/ics-attack/relationship/relationship--bf8f90a2-4d3a-436d-87d0-eff060fb2302.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--30ea9466-2f15-4d5b-bc0d-9f1083d2ec0b", + "id": "bundle--3f78228f-63c4-4d9c-9c92-185c0ac21e3f", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--bf8f90a2-4d3a-436d-87d0-eff060fb2302", "created": "2023-09-29T18:06:02.077Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:30.650Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--bf9f227c-e306-4257-add1-39c7c2e42040.json b/ics-attack/relationship/relationship--bf9f227c-e306-4257-add1-39c7c2e42040.json index 0068c191e3..e1ee275135 100644 --- a/ics-attack/relationship/relationship--bf9f227c-e306-4257-add1-39c7c2e42040.json +++ b/ics-attack/relationship/relationship--bf9f227c-e306-4257-add1-39c7c2e42040.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e41a8a23-b69b-42a0-ac32-0ea6dc1810c0", + "id": "bundle--cc99c410-8c09-4046-a500-1e954fe0fd74", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--bf9f227c-e306-4257-add1-39c7c2e42040", "created": "2023-09-29T18:47:28.758Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:30.863Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--bfe38597-c92b-4989-9687-3dd20a21f82d.json b/ics-attack/relationship/relationship--bfe38597-c92b-4989-9687-3dd20a21f82d.json index 02abf5e119..7e5e0f7789 100644 --- a/ics-attack/relationship/relationship--bfe38597-c92b-4989-9687-3dd20a21f82d.json +++ b/ics-attack/relationship/relationship--bfe38597-c92b-4989-9687-3dd20a21f82d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--aad389c7-89b9-4475-bf59-d7636e4f1ac9", + "id": "bundle--e446203c-b979-46a6-add6-b20ddc3dc903", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--bfe38597-c92b-4989-9687-3dd20a21f82d", "created": "2025-09-29T19:05:45.030Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1.json b/ics-attack/relationship/relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1.json index 08701aeaab..dc935d6a5b 100644 --- a/ics-attack/relationship/relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1.json +++ b/ics-attack/relationship/relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6f2f4133-5f5a-40df-939a-5e7f6479d076", + "id": "bundle--182be565-7199-4752-8d35-e81e6df27d75", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c004d8e5-8079-4f6f-90ed-93cff4f69940.json b/ics-attack/relationship/relationship--c004d8e5-8079-4f6f-90ed-93cff4f69940.json index baf2e0fe30..c0d6620cdb 100644 --- a/ics-attack/relationship/relationship--c004d8e5-8079-4f6f-90ed-93cff4f69940.json +++ b/ics-attack/relationship/relationship--c004d8e5-8079-4f6f-90ed-93cff4f69940.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--36e92cd5-63cd-4f2d-b4d1-db9a1ceeafa7", + "id": "bundle--29585552-33de-478b-ba84-e69d2407f8d2", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--c004d8e5-8079-4f6f-90ed-93cff4f69940", "created": "2025-09-24T18:14:07.949Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--c047df7c-3ed7-455f-8b13-14ced8e93fef.json b/ics-attack/relationship/relationship--c047df7c-3ed7-455f-8b13-14ced8e93fef.json index 25e73d5779..34e4fec3e9 100644 --- a/ics-attack/relationship/relationship--c047df7c-3ed7-455f-8b13-14ced8e93fef.json +++ b/ics-attack/relationship/relationship--c047df7c-3ed7-455f-8b13-14ced8e93fef.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f83fe93a-ea40-4bfb-8d8a-edb243a01949", + "id": "bundle--86a20837-0836-4c35-b282-ac2b4fe77167", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--c047df7c-3ed7-455f-8b13-14ced8e93fef", "created": "2023-09-28T21:17:47.080Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:31.380Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--c09375e4-1c59-48f2-9151-f42151263bce.json b/ics-attack/relationship/relationship--c09375e4-1c59-48f2-9151-f42151263bce.json new file mode 100644 index 0000000000..84903a3d2a --- /dev/null +++ b/ics-attack/relationship/relationship--c09375e4-1c59-48f2-9151-f42151263bce.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--12d4470a-e33c-4b1d-b3ca-2c39261ae870", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c09375e4-1c59-48f2-9151-f42151263bce", + "created": "2026-04-22T19:59:54.754Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:21:22.484Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used a graphical user interface (GUI) via the Remote Desktop Protocol (RDP) to access the Mikronika HMI and to execute commands.(Citation: CERT Polska)\n\nDuring the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used a graphical user interface (GUI) to connect to the domain controller via the Remote Desktop Protocol (RDP) to collect and exfiltrate data and attempt to destroy data on the system.(Citation: CERT Polska)\n", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c09623fc-ee06-4d8e-828f-23d2bc895aaf.json b/ics-attack/relationship/relationship--c09623fc-ee06-4d8e-828f-23d2bc895aaf.json new file mode 100644 index 0000000000..7000249acd --- /dev/null +++ b/ics-attack/relationship/relationship--c09623fc-ee06-4d8e-828f-23d2bc895aaf.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--fd6d82a7-da07-4ea0-897c-51903fedd788", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c09623fc-ee06-4d8e-828f-23d2bc895aaf", + "created": "2026-04-22T21:39:27.046Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:39:27.046Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c0c5f223-8546-47f9-acd0-ea47da6f768d.json b/ics-attack/relationship/relationship--c0c5f223-8546-47f9-acd0-ea47da6f768d.json index f7b02d74d7..d40854f360 100644 --- a/ics-attack/relationship/relationship--c0c5f223-8546-47f9-acd0-ea47da6f768d.json +++ b/ics-attack/relationship/relationship--c0c5f223-8546-47f9-acd0-ea47da6f768d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--06bc30a5-5c06-42a8-a649-9d941fe0cf48", + "id": "bundle--1b38cdb6-3248-4fb3-a165-e61faafe8102", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--c0c5f223-8546-47f9-acd0-ea47da6f768d", "created": "2025-09-24T17:56:19.121Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--c0efb24a-2329-401a-bba6-817f2867bb3f.json b/ics-attack/relationship/relationship--c0efb24a-2329-401a-bba6-817f2867bb3f.json index 7c748ead08..e31cb4fb69 100644 --- a/ics-attack/relationship/relationship--c0efb24a-2329-401a-bba6-817f2867bb3f.json +++ b/ics-attack/relationship/relationship--c0efb24a-2329-401a-bba6-817f2867bb3f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a307e1d6-6b21-479c-a18b-3088c4aef7ea", + "id": "bundle--05de804d-8700-41f7-9948-62e84f1c7cec", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c0fb868d-9b36-492d-9577-626ecf9d50c0.json b/ics-attack/relationship/relationship--c0fb868d-9b36-492d-9577-626ecf9d50c0.json index 1f40880e23..649d0f7d5c 100644 --- a/ics-attack/relationship/relationship--c0fb868d-9b36-492d-9577-626ecf9d50c0.json +++ b/ics-attack/relationship/relationship--c0fb868d-9b36-492d-9577-626ecf9d50c0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a1b8d22f-bf9f-4ea9-b1ae-b0caeb0e993a", + "id": "bundle--03e7c88a-70f0-4299-8d7e-131605ae2de3", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--c0fb868d-9b36-492d-9577-626ecf9d50c0", "created": "2025-09-29T22:02:30.857Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--c1154a56-6f5f-4760-8b34-79b0e8a79c1f.json b/ics-attack/relationship/relationship--c1154a56-6f5f-4760-8b34-79b0e8a79c1f.json index 9012030197..3c0d6b790f 100644 --- a/ics-attack/relationship/relationship--c1154a56-6f5f-4760-8b34-79b0e8a79c1f.json +++ b/ics-attack/relationship/relationship--c1154a56-6f5f-4760-8b34-79b0e8a79c1f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fc20f283-ac0e-4916-bfac-fb0e86f86922", + "id": "bundle--f586e3c7-beb8-4ded-9444-c6e7a40f5780", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--c1154a56-6f5f-4760-8b34-79b0e8a79c1f", "created": "2023-03-10T20:34:55.362Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Marshall Abrams July 2008", diff --git a/ics-attack/relationship/relationship--c137fcd2-ce51-4e17-9c2f-f1aaf9b64ce7.json b/ics-attack/relationship/relationship--c137fcd2-ce51-4e17-9c2f-f1aaf9b64ce7.json index e2fdb5c904..c75d6d65ba 100644 --- a/ics-attack/relationship/relationship--c137fcd2-ce51-4e17-9c2f-f1aaf9b64ce7.json +++ b/ics-attack/relationship/relationship--c137fcd2-ce51-4e17-9c2f-f1aaf9b64ce7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ddf84ed3-f7a7-400e-b268-18a7b8cb0a7a", + "id": "bundle--bb37ebca-82b7-48f8-bbe7-67bcd89d647f", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--c137fcd2-ce51-4e17-9c2f-f1aaf9b64ce7", "created": "2024-03-28T14:28:47.109Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "FireEye TEMP.Veles 2018", diff --git a/ics-attack/relationship/relationship--c1849779-3ef0-4e68-b970-a518976a7567.json b/ics-attack/relationship/relationship--c1849779-3ef0-4e68-b970-a518976a7567.json index 89467e4fdf..fcb97d3de8 100644 --- a/ics-attack/relationship/relationship--c1849779-3ef0-4e68-b970-a518976a7567.json +++ b/ics-attack/relationship/relationship--c1849779-3ef0-4e68-b970-a518976a7567.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--af3784d5-a494-41a9-99c2-6c1dba0249b4", + "id": "bundle--c53cf052-3276-42b7-9893-1f05d2dd21cc", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--06443942-ba28-4d13-b4b4-93317d6eafa5", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", diff --git a/ics-attack/relationship/relationship--c195a0e9-d46c-487f-9a96-b138e9ca05d2.json b/ics-attack/relationship/relationship--c195a0e9-d46c-487f-9a96-b138e9ca05d2.json index 8c7d764612..e17614fb7b 100644 --- a/ics-attack/relationship/relationship--c195a0e9-d46c-487f-9a96-b138e9ca05d2.json +++ b/ics-attack/relationship/relationship--c195a0e9-d46c-487f-9a96-b138e9ca05d2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0600b115-2b8e-41d7-ac94-ea8aa2014407", + "id": "bundle--8c786934-0778-4005-b3f2-33e0e0f28683", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c19a88bb-b98c-4a2e-9b8f-9dcacd73a9c0.json b/ics-attack/relationship/relationship--c19a88bb-b98c-4a2e-9b8f-9dcacd73a9c0.json index ebba37f9ae..7fdd93dfa2 100644 --- a/ics-attack/relationship/relationship--c19a88bb-b98c-4a2e-9b8f-9dcacd73a9c0.json +++ b/ics-attack/relationship/relationship--c19a88bb-b98c-4a2e-9b8f-9dcacd73a9c0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b9b32f68-21b8-4278-a6af-e911f8194d9c", + "id": "bundle--162ee54b-73bf-469f-b272-de67fc8dc8eb", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--c7737640-99e8-4efb-90ee-39332b623b33", "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", diff --git a/ics-attack/relationship/relationship--c1d77f83-23ec-4128-afd1-ed8ea12281a2.json b/ics-attack/relationship/relationship--c1d77f83-23ec-4128-afd1-ed8ea12281a2.json index 189a88c20b..e9d726378c 100644 --- a/ics-attack/relationship/relationship--c1d77f83-23ec-4128-afd1-ed8ea12281a2.json +++ b/ics-attack/relationship/relationship--c1d77f83-23ec-4128-afd1-ed8ea12281a2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6d51e21b-54eb-4f92-babf-5b40b6a4db29", + "id": "bundle--dd6bc75f-0339-4e61-b3c0-baa3b63eed41", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--c1d77f83-23ec-4128-afd1-ed8ea12281a2", "created": "2023-09-29T18:09:02.311Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:32.619Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--c1e051ab-0a11-4d29-b98f-aa442ab69553.json b/ics-attack/relationship/relationship--c1e051ab-0a11-4d29-b98f-aa442ab69553.json index 540b5f51e0..db63fd7d29 100644 --- a/ics-attack/relationship/relationship--c1e051ab-0a11-4d29-b98f-aa442ab69553.json +++ b/ics-attack/relationship/relationship--c1e051ab-0a11-4d29-b98f-aa442ab69553.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f965699a-127a-4659-9e49-bfd1cf0f48ed", + "id": "bundle--c0359491-0628-4e71-983c-6d08cfef988b", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--c1e051ab-0a11-4d29-b98f-aa442ab69553", "created": "2023-09-29T17:09:48.178Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:32.817Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", diff --git a/ics-attack/relationship/relationship--857f7961-1b88-4ec7-8821-25083dc70048.json b/ics-attack/relationship/relationship--c1fc8829-4a5e-4633-8785-b5601f5067a9.json similarity index 78% rename from ics-attack/relationship/relationship--857f7961-1b88-4ec7-8821-25083dc70048.json rename to ics-attack/relationship/relationship--c1fc8829-4a5e-4633-8785-b5601f5067a9.json index d4ec2d881d..4feb6a5e63 100644 --- a/ics-attack/relationship/relationship--857f7961-1b88-4ec7-8821-25083dc70048.json +++ b/ics-attack/relationship/relationship--c1fc8829-4a5e-4633-8785-b5601f5067a9.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--b96aeb33-89ff-46ba-9ebb-ca3563d5ba9d", + "id": "bundle--b991e9dd-eb73-435f-8c2a-e0c5414ffc72", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--857f7961-1b88-4ec7-8821-25083dc70048", + "id": "relationship--c1fc8829-4a5e-4633-8785-b5601f5067a9", "created": "2025-09-29T19:02:37.703Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -14,7 +14,7 @@ ], "modified": "2025-09-29T19:02:37.703Z", "relationship_type": "targets", - "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "source_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, diff --git a/ics-attack/relationship/relationship--c233df49-e450-4151-8a0f-1765faf3d75a.json b/ics-attack/relationship/relationship--c233df49-e450-4151-8a0f-1765faf3d75a.json index af1641f3a6..67a92c6aaa 100644 --- a/ics-attack/relationship/relationship--c233df49-e450-4151-8a0f-1765faf3d75a.json +++ b/ics-attack/relationship/relationship--c233df49-e450-4151-8a0f-1765faf3d75a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eab2a0f5-0ff6-4538-98e8-3b9cad2cd964", + "id": "bundle--186df0b9-9634-44f7-8677-ebd40ebe6aea", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--c233df49-e450-4151-8a0f-1765faf3d75a", "created": "2023-09-29T17:08:08.883Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:33.275Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", diff --git a/ics-attack/relationship/relationship--c247e63d-f1f8-4b69-b72f-866bfd14d4bb.json b/ics-attack/relationship/relationship--c247e63d-f1f8-4b69-b72f-866bfd14d4bb.json new file mode 100644 index 0000000000..bee9a0da32 --- /dev/null +++ b/ics-attack/relationship/relationship--c247e63d-f1f8-4b69-b72f-866bfd14d4bb.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--2fa8425a-ee60-4522-a376-15fa2e4a5667", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c247e63d-f1f8-4b69-b72f-866bfd14d4bb", + "created": "2026-04-22T16:10:21.873Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:10:21.873Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c27e676e-1ac0-4ec8-bf9d-f540969c6b6f.json b/ics-attack/relationship/relationship--c27e676e-1ac0-4ec8-bf9d-f540969c6b6f.json index 2f707879ef..0bf1dd5b85 100644 --- a/ics-attack/relationship/relationship--c27e676e-1ac0-4ec8-bf9d-f540969c6b6f.json +++ b/ics-attack/relationship/relationship--c27e676e-1ac0-4ec8-bf9d-f540969c6b6f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--71e54741-4281-473d-b546-5622273bd639", + "id": "bundle--a5dd2e74-b213-4b53-98ae-fd07bfd9f0d7", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--c27e676e-1ac0-4ec8-bf9d-f540969c6b6f", "created": "2023-09-29T17:59:54.204Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:33.667Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--c297179c-66a5-41b4-9a12-59f7480bc25e.json b/ics-attack/relationship/relationship--c297179c-66a5-41b4-9a12-59f7480bc25e.json index ecf37087a9..da21a9a83f 100644 --- a/ics-attack/relationship/relationship--c297179c-66a5-41b4-9a12-59f7480bc25e.json +++ b/ics-attack/relationship/relationship--c297179c-66a5-41b4-9a12-59f7480bc25e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1a471c6a-2f1a-4777-9df8-1a93336f9d69", + "id": "bundle--dc0461e9-c91b-4451-ba82-eef3cdc881c4", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--5ba60cf7-738d-4ed4-827c-8c763ad9f0f0", "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", diff --git a/ics-attack/relationship/relationship--5677e801-bd49-404b-b54a-6b00da52530c.json b/ics-attack/relationship/relationship--c2a6b6b8-d9ef-45e1-9b7f-5fdc039e190f.json similarity index 71% rename from ics-attack/relationship/relationship--5677e801-bd49-404b-b54a-6b00da52530c.json rename to ics-attack/relationship/relationship--c2a6b6b8-d9ef-45e1-9b7f-5fdc039e190f.json index d932467146..47d49c86f6 100644 --- a/ics-attack/relationship/relationship--5677e801-bd49-404b-b54a-6b00da52530c.json +++ b/ics-attack/relationship/relationship--c2a6b6b8-d9ef-45e1-9b7f-5fdc039e190f.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--24bc15a8-3670-4d79-8b82-3ec766f92576", + "id": "bundle--f2ac83f3-7015-4055-b27d-f654b989607c", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--5677e801-bd49-404b-b54a-6b00da52530c", + "id": "relationship--c2a6b6b8-d9ef-45e1-9b7f-5fdc039e190f", "created": "2023-09-29T16:39:01.824Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:02:29.175Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "source_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c2fe42b4-6750-4b51-86b7-6c37fbfdef2d.json b/ics-attack/relationship/relationship--c2fe42b4-6750-4b51-86b7-6c37fbfdef2d.json index e8a5e5c525..fda56919d5 100644 --- a/ics-attack/relationship/relationship--c2fe42b4-6750-4b51-86b7-6c37fbfdef2d.json +++ b/ics-attack/relationship/relationship--c2fe42b4-6750-4b51-86b7-6c37fbfdef2d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--94bad3d7-57f3-49be-9409-04fb638e37a0", + "id": "bundle--13c2f44d-de0b-4ce4-9142-145b135ab911", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--c2fe42b4-6750-4b51-86b7-6c37fbfdef2d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Department of Homeland Security October 2009", diff --git a/ics-attack/relationship/relationship--c347b69c-e3f6-4eca-ba57-0781c7dc8eac.json b/ics-attack/relationship/relationship--c347b69c-e3f6-4eca-ba57-0781c7dc8eac.json index d4aa4f56ef..7eccc219b9 100644 --- a/ics-attack/relationship/relationship--c347b69c-e3f6-4eca-ba57-0781c7dc8eac.json +++ b/ics-attack/relationship/relationship--c347b69c-e3f6-4eca-ba57-0781c7dc8eac.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--459c52e2-9c54-43ab-be58-32810b5405f6", + "id": "bundle--b266b81e-0911-4eb4-a070-59f4ce3e91fa", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--c347b69c-e3f6-4eca-ba57-0781c7dc8eac", "created": "2021-04-13T12:28:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos Threat Intelligence February 2020", diff --git a/ics-attack/relationship/relationship--c37f097a-9698-412f-9e96-4d350bcd2790.json b/ics-attack/relationship/relationship--c37f097a-9698-412f-9e96-4d350bcd2790.json index 6257e39d2e..19d4580a0c 100644 --- a/ics-attack/relationship/relationship--c37f097a-9698-412f-9e96-4d350bcd2790.json +++ b/ics-attack/relationship/relationship--c37f097a-9698-412f-9e96-4d350bcd2790.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fac3c515-6f4e-40c6-9c9c-84581600d3d9", + "id": "bundle--51083d14-e57e-4665-8bc2-9b7a62f4efa4", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--c37f097a-9698-412f-9e96-4d350bcd2790", "created": "2023-09-29T16:44:26.728Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:34.277Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--c39be68a-e208-47ac-a7be-6eb6e84d6608.json b/ics-attack/relationship/relationship--c39be68a-e208-47ac-a7be-6eb6e84d6608.json index 1ef9589458..a90311f239 100644 --- a/ics-attack/relationship/relationship--c39be68a-e208-47ac-a7be-6eb6e84d6608.json +++ b/ics-attack/relationship/relationship--c39be68a-e208-47ac-a7be-6eb6e84d6608.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ed2de3dd-cc90-4dd5-8049-35ec10848d8d", + "id": "bundle--11a02f79-4b5c-4150-9502-aa733602376c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--c39be68a-e208-47ac-a7be-6eb6e84d6608", "created": "2023-09-29T18:49:14.639Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:34.465Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--c3c23e7f-f778-4cd6-b2ac-69c1a5615d66.json b/ics-attack/relationship/relationship--c3c23e7f-f778-4cd6-b2ac-69c1a5615d66.json new file mode 100644 index 0000000000..4b93a4c6bd --- /dev/null +++ b/ics-attack/relationship/relationship--c3c23e7f-f778-4cd6-b2ac-69c1a5615d66.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--69f2e863-c819-4080-b2e2-4288e84d275f", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c3c23e7f-f778-4cd6-b2ac-69c1a5615d66", + "created": "2026-04-22T22:32:35.367Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:32:35.367Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c4122b58-f1b2-4656-a715-55016700bf75.json b/ics-attack/relationship/relationship--c4122b58-f1b2-4656-a715-55016700bf75.json index 54d0bf4153..fcb5dab4de 100644 --- a/ics-attack/relationship/relationship--c4122b58-f1b2-4656-a715-55016700bf75.json +++ b/ics-attack/relationship/relationship--c4122b58-f1b2-4656-a715-55016700bf75.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--264c1a99-3282-4a6a-a97d-b199c8603551", + "id": "bundle--b1f491fd-ce71-4d9c-a54c-30bf251e74e1", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--c4122b58-f1b2-4656-a715-55016700bf75", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", diff --git a/ics-attack/relationship/relationship--c41d20c8-b99e-4de8-a0e5-3e0ef3b4275b.json b/ics-attack/relationship/relationship--c41d20c8-b99e-4de8-a0e5-3e0ef3b4275b.json index 6f34cf7a1c..72f0d69976 100644 --- a/ics-attack/relationship/relationship--c41d20c8-b99e-4de8-a0e5-3e0ef3b4275b.json +++ b/ics-attack/relationship/relationship--c41d20c8-b99e-4de8-a0e5-3e0ef3b4275b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9a1d8bb4-57b3-4a42-af99-58b4a3b41ee7", + "id": "bundle--4dfe07c7-9c54-4ccc-91d1-241756d907cc", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--c41d20c8-b99e-4de8-a0e5-3e0ef3b4275b", "created": "2023-10-02T20:21:06.420Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:34.889Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", diff --git a/ics-attack/relationship/relationship--c44ad0d0-0d7e-4a31-877b-ac69b679cf8d.json b/ics-attack/relationship/relationship--c44ad0d0-0d7e-4a31-877b-ac69b679cf8d.json index 22ebe0f2c0..bc2e8278b0 100644 --- a/ics-attack/relationship/relationship--c44ad0d0-0d7e-4a31-877b-ac69b679cf8d.json +++ b/ics-attack/relationship/relationship--c44ad0d0-0d7e-4a31-877b-ac69b679cf8d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--aca02d9e-33e2-4a12-81f6-549a9b8bf415", + "id": "bundle--0c9995f7-8d35-437a-9b4f-bb857655c3e0", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--c44ad0d0-0d7e-4a31-877b-ac69b679cf8d", "created": "2025-09-24T18:04:13.732Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--c4a50132-a210-4093-878d-3d6df23ed26e.json b/ics-attack/relationship/relationship--c4a50132-a210-4093-878d-3d6df23ed26e.json index 0ce1aa3921..1d72b8057d 100644 --- a/ics-attack/relationship/relationship--c4a50132-a210-4093-878d-3d6df23ed26e.json +++ b/ics-attack/relationship/relationship--c4a50132-a210-4093-878d-3d6df23ed26e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e3e52894-3592-429e-809e-bb06269b4d82", + "id": "bundle--c65692a4-ee84-4be2-9e72-b6adf51c3ea0", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--c4a50132-a210-4093-878d-3d6df23ed26e", "created": "2023-09-29T17:10:09.146Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:35.724Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", diff --git a/ics-attack/relationship/relationship--c4b036ee-be86-48cb-9f01-ab8f78e5bb37.json b/ics-attack/relationship/relationship--c4b036ee-be86-48cb-9f01-ab8f78e5bb37.json index 7fe11b32ca..098ce565d9 100644 --- a/ics-attack/relationship/relationship--c4b036ee-be86-48cb-9f01-ab8f78e5bb37.json +++ b/ics-attack/relationship/relationship--c4b036ee-be86-48cb-9f01-ab8f78e5bb37.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ac3095cb-3ec0-47fb-a1ae-42321c61c693", + "id": "bundle--d9e3f2b0-3ea7-45d2-bc8b-c81be9e6f5f4", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--c4b036ee-be86-48cb-9f01-ab8f78e5bb37", "created": "2023-09-28T20:15:05.405Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:35.927Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--c4dd7251-ed87-4629-86b5-090e52a82df2.json b/ics-attack/relationship/relationship--c4dd7251-ed87-4629-86b5-090e52a82df2.json index 56bf65ff8d..c6e3426b9e 100644 --- a/ics-attack/relationship/relationship--c4dd7251-ed87-4629-86b5-090e52a82df2.json +++ b/ics-attack/relationship/relationship--c4dd7251-ed87-4629-86b5-090e52a82df2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ace92abd-606d-418f-93f5-bf050ba909ab", + "id": "bundle--423f7d3a-6206-4669-9678-e3eabf3e4991", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--c4dd7251-ed87-4629-86b5-090e52a82df2", "created": "2024-04-09T21:00:32.387Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:36.124Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--c4e8dd42-9855-4a36-b915-dc7e1a91e235.json b/ics-attack/relationship/relationship--c4e8dd42-9855-4a36-b915-dc7e1a91e235.json index 59cb0090c6..e29524fe06 100644 --- a/ics-attack/relationship/relationship--c4e8dd42-9855-4a36-b915-dc7e1a91e235.json +++ b/ics-attack/relationship/relationship--c4e8dd42-9855-4a36-b915-dc7e1a91e235.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0c8fd664-39be-496c-a742-82093140cec5", + "id": "bundle--af4ce881-f11b-475e-bf2b-f7682cc09f16", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--c4e8dd42-9855-4a36-b915-dc7e1a91e235", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Robert Falcone, Bryan Lee May 2016", diff --git a/ics-attack/relationship/relationship--c4ef2c9e-b192-4292-bb23-8b39fe69fd1b.json b/ics-attack/relationship/relationship--c4ef2c9e-b192-4292-bb23-8b39fe69fd1b.json index 3f468c89e0..0ee058dd19 100644 --- a/ics-attack/relationship/relationship--c4ef2c9e-b192-4292-bb23-8b39fe69fd1b.json +++ b/ics-attack/relationship/relationship--c4ef2c9e-b192-4292-bb23-8b39fe69fd1b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--570e20b4-f6e1-49e3-82ae-fd2c0c45c567", + "id": "bundle--1eb08b6e-4c8d-4ee2-a776-c277ee46f873", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--c0abb110-c80e-4d6a-9f27-f2783f8bbfec", "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", diff --git a/ics-attack/relationship/relationship--c4fa7c43-1b74-4d65-ade9-72b679f4bb49.json b/ics-attack/relationship/relationship--c4fa7c43-1b74-4d65-ade9-72b679f4bb49.json index 80ad27a104..4182eec47c 100644 --- a/ics-attack/relationship/relationship--c4fa7c43-1b74-4d65-ade9-72b679f4bb49.json +++ b/ics-attack/relationship/relationship--c4fa7c43-1b74-4d65-ade9-72b679f4bb49.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--324f5022-673d-41ca-8ea4-3ff186769d4b", + "id": "bundle--c4a01315-1bbf-4ba0-b507-4a452bd948d5", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--c4fa7c43-1b74-4d65-ade9-72b679f4bb49", "created": "2025-09-29T19:56:59.071Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--c52501e6-6c33-4c10-9c20-b868f71f8035.json b/ics-attack/relationship/relationship--c52501e6-6c33-4c10-9c20-b868f71f8035.json index 965f6983de..c25a26abde 100644 --- a/ics-attack/relationship/relationship--c52501e6-6c33-4c10-9c20-b868f71f8035.json +++ b/ics-attack/relationship/relationship--c52501e6-6c33-4c10-9c20-b868f71f8035.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--39e910b6-309a-4e36-8d02-bde08709760f", + "id": "bundle--274cb35b-a3ab-4122-8892-e8efb73881d9", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--c52501e6-6c33-4c10-9c20-b868f71f8035", "created": "2025-09-24T18:24:47.882Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--c53a4f46-f8db-4d89-b21b-9f249c8297a1.json b/ics-attack/relationship/relationship--c53a4f46-f8db-4d89-b21b-9f249c8297a1.json index abcacac27b..66662ebb65 100644 --- a/ics-attack/relationship/relationship--c53a4f46-f8db-4d89-b21b-9f249c8297a1.json +++ b/ics-attack/relationship/relationship--c53a4f46-f8db-4d89-b21b-9f249c8297a1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1091e332-af67-49b2-a7be-33d2b463aeb9", + "id": "bundle--d51436fe-a7a5-463c-8e8a-871c27ecff0e", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--c53a4f46-f8db-4d89-b21b-9f249c8297a1", "created": "2025-09-29T19:59:07.775Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--c563bfb5-173f-4a96-812b-2aad8057f09f.json b/ics-attack/relationship/relationship--c563bfb5-173f-4a96-812b-2aad8057f09f.json index 80639f7742..d026c346c9 100644 --- a/ics-attack/relationship/relationship--c563bfb5-173f-4a96-812b-2aad8057f09f.json +++ b/ics-attack/relationship/relationship--c563bfb5-173f-4a96-812b-2aad8057f09f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8ca456fc-da87-48c6-aeec-f55f33a70fdb", + "id": "bundle--c2f26ab7-81d3-445e-a7e7-f4cca31768a2", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--62587e44-0623-4b14-bd45-126430eaed4a", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", diff --git a/ics-attack/relationship/relationship--c56f7ce6-a077-41d3-94d7-440f85e61786.json b/ics-attack/relationship/relationship--c56f7ce6-a077-41d3-94d7-440f85e61786.json new file mode 100644 index 0000000000..0759a07602 --- /dev/null +++ b/ics-attack/relationship/relationship--c56f7ce6-a077-41d3-94d7-440f85e61786.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--ed10323f-623c-4b1d-a18a-fead02e20104", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c56f7ce6-a077-41d3-94d7-440f85e61786", + "created": "2026-04-22T13:55:20.869Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T13:55:20.869Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c58563a8-d757-4476-8ae2-beb2acce38b3.json b/ics-attack/relationship/relationship--c58563a8-d757-4476-8ae2-beb2acce38b3.json index 2bad4eede2..3384779184 100644 --- a/ics-attack/relationship/relationship--c58563a8-d757-4476-8ae2-beb2acce38b3.json +++ b/ics-attack/relationship/relationship--c58563a8-d757-4476-8ae2-beb2acce38b3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--aadb0e06-987f-4e7e-a3bd-72b4d850be92", + "id": "bundle--6136c3e9-de4a-479c-bc72-a88cf889e698", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--c58563a8-d757-4476-8ae2-beb2acce38b3", "created": "2023-10-02T20:20:55.473Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:36.530Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", diff --git a/ics-attack/relationship/relationship--c596f45a-ad65-4673-b316-05378175f35e.json b/ics-attack/relationship/relationship--c596f45a-ad65-4673-b316-05378175f35e.json index 149e04d8d4..b9653ac1af 100644 --- a/ics-attack/relationship/relationship--c596f45a-ad65-4673-b316-05378175f35e.json +++ b/ics-attack/relationship/relationship--c596f45a-ad65-4673-b316-05378175f35e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--aea8e952-594d-4c5f-a965-08d491ad75a1", + "id": "bundle--38a76f9f-537f-4c6b-8cfa-ba900782c7ac", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--c596f45a-ad65-4673-b316-05378175f35e", "created": "2024-04-09T20:54:19.196Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:36.745Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--c59a3d89-c8fa-4c5d-813e-f4495d892d1a.json b/ics-attack/relationship/relationship--c59a3d89-c8fa-4c5d-813e-f4495d892d1a.json index bb60df009d..907525c12e 100644 --- a/ics-attack/relationship/relationship--c59a3d89-c8fa-4c5d-813e-f4495d892d1a.json +++ b/ics-attack/relationship/relationship--c59a3d89-c8fa-4c5d-813e-f4495d892d1a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8f15285c-dc16-4952-9f03-e5aa37e9f8c2", + "id": "bundle--a811c81f-2263-4e3e-b2ac-2932b4cd08b7", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--c59a3d89-c8fa-4c5d-813e-f4495d892d1a", "created": "2019-03-25T19:13:54.947Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Joe Slowik April 2019", diff --git a/ics-attack/relationship/relationship--c5a69738-3e80-421d-aba2-bdab8a4029fd.json b/ics-attack/relationship/relationship--c5a69738-3e80-421d-aba2-bdab8a4029fd.json index 33dab077e0..6eeb0fdd6f 100644 --- a/ics-attack/relationship/relationship--c5a69738-3e80-421d-aba2-bdab8a4029fd.json +++ b/ics-attack/relationship/relationship--c5a69738-3e80-421d-aba2-bdab8a4029fd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--74887885-4135-44c2-8d14-3a82d1e441ce", + "id": "bundle--586d33fa-90b4-4365-89f8-831bc8bf5969", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--c5a69738-3e80-421d-aba2-bdab8a4029fd", "created": "2023-09-29T18:43:49.839Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:37.152Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16.json b/ics-attack/relationship/relationship--c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16.json index 49b86ce99a..034829acc3 100644 --- a/ics-attack/relationship/relationship--c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16.json +++ b/ics-attack/relationship/relationship--c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cbfe831a-61c1-4cb2-9314-c745ddbb74c7", + "id": "bundle--2622a637-37e6-494d-a523-7091beae95c0", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16", "created": "2020-06-10T18:36:54.638Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Trend Micro Cyclops Blink March 2022", diff --git a/ics-attack/relationship/relationship--c5fd0969-c151-4849-94c2-83e2e208cff7.json b/ics-attack/relationship/relationship--c5fd0969-c151-4849-94c2-83e2e208cff7.json index fed2df0524..0ee9435ff7 100644 --- a/ics-attack/relationship/relationship--c5fd0969-c151-4849-94c2-83e2e208cff7.json +++ b/ics-attack/relationship/relationship--c5fd0969-c151-4849-94c2-83e2e208cff7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6f1e7d93-840e-44dd-9de7-b72e351c0033", + "id": "bundle--7a4e6779-6e57-4241-a9ae-9eb32621d11c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c613899c-1550-4a90-8ae9-7a964147093f.json b/ics-attack/relationship/relationship--c613899c-1550-4a90-8ae9-7a964147093f.json index 1694d80715..408b19d956 100644 --- a/ics-attack/relationship/relationship--c613899c-1550-4a90-8ae9-7a964147093f.json +++ b/ics-attack/relationship/relationship--c613899c-1550-4a90-8ae9-7a964147093f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--279822c8-5dfc-476f-961c-74f96b1c3740", + "id": "bundle--252635a2-2d44-4bad-b01f-6498782a4a0d", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--c613899c-1550-4a90-8ae9-7a964147093f", "created": "2025-09-29T19:14:51.386Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--c617dafd-fb30-41e2-bf5d-1287d826dcd1.json b/ics-attack/relationship/relationship--c617dafd-fb30-41e2-bf5d-1287d826dcd1.json index 6631afd66b..24203a16df 100644 --- a/ics-attack/relationship/relationship--c617dafd-fb30-41e2-bf5d-1287d826dcd1.json +++ b/ics-attack/relationship/relationship--c617dafd-fb30-41e2-bf5d-1287d826dcd1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d6966cb8-e578-476e-ad0d-1316659b316a", + "id": "bundle--8e0ec68d-21e2-416c-9d8b-964992831d98", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--e6bc5359-4bd4-4688-9136-ac7a6b561f56", "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", diff --git a/ics-attack/relationship/relationship--c61fb9cc-8a3c-46e6-8ae6-856aa7f16723.json b/ics-attack/relationship/relationship--c61fb9cc-8a3c-46e6-8ae6-856aa7f16723.json new file mode 100644 index 0000000000..a45a3102c3 --- /dev/null +++ b/ics-attack/relationship/relationship--c61fb9cc-8a3c-46e6-8ae6-856aa7f16723.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--96c958f0-324c-4c72-a7dc-906e1a5efd3b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c61fb9cc-8a3c-46e6-8ae6-856aa7f16723", + "created": "2026-04-22T21:41:52.241Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:41:52.241Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c6258ef7-95dc-43ef-b0c2-a20011a48699.json b/ics-attack/relationship/relationship--c6258ef7-95dc-43ef-b0c2-a20011a48699.json new file mode 100644 index 0000000000..a25863412b --- /dev/null +++ b/ics-attack/relationship/relationship--c6258ef7-95dc-43ef-b0c2-a20011a48699.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--9cf32558-b464-49c0-b61a-c2d12a7d4c11", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c6258ef7-95dc-43ef-b0c2-a20011a48699", + "created": "2026-04-22T22:37:37.395Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:18:08.551Z", + "description": "Implement network allowlists to minimize network access to only authorized hosts.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b.json b/ics-attack/relationship/relationship--c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b.json index ee9fa0e619..45f830fccd 100644 --- a/ics-attack/relationship/relationship--c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b.json +++ b/ics-attack/relationship/relationship--c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ba093b9c-a75d-4361-b1da-54489478b2bd", + "id": "bundle--6d9cfe81-2920-49f2-a3cf-554a5c85f53c", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Department of Homeland Security October 2009", diff --git a/ics-attack/relationship/relationship--c6520346-fe47-44ce-af75-d99004ac2977.json b/ics-attack/relationship/relationship--c6520346-fe47-44ce-af75-d99004ac2977.json index 982e509ff5..43240274b7 100644 --- a/ics-attack/relationship/relationship--c6520346-fe47-44ce-af75-d99004ac2977.json +++ b/ics-attack/relationship/relationship--c6520346-fe47-44ce-af75-d99004ac2977.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--001dde1f-1684-4c92-b6eb-bf7661688650", + "id": "bundle--81f7cd72-72a7-4530-b77b-d9afab45c2e4", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--c6520346-fe47-44ce-af75-d99004ac2977", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", diff --git a/ics-attack/relationship/relationship--c65e39eb-f6d1-4e3a-9070-b2fa7ea35b36.json b/ics-attack/relationship/relationship--c65e39eb-f6d1-4e3a-9070-b2fa7ea35b36.json index cad06af018..acd12f139b 100644 --- a/ics-attack/relationship/relationship--c65e39eb-f6d1-4e3a-9070-b2fa7ea35b36.json +++ b/ics-attack/relationship/relationship--c65e39eb-f6d1-4e3a-9070-b2fa7ea35b36.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9254c86d-a81a-4d80-a490-b24c34effb84", + "id": "bundle--a9869504-5e84-4545-b813-3c074af07363", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--c65e39eb-f6d1-4e3a-9070-b2fa7ea35b36", "created": "2023-09-28T21:27:50.246Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:38.535Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--c67e3535-69a9-4234-8170-4ad6efc632b7.json b/ics-attack/relationship/relationship--c67e3535-69a9-4234-8170-4ad6efc632b7.json index f67f40bfcb..50dd5cce0c 100644 --- a/ics-attack/relationship/relationship--c67e3535-69a9-4234-8170-4ad6efc632b7.json +++ b/ics-attack/relationship/relationship--c67e3535-69a9-4234-8170-4ad6efc632b7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5ad50f7d-c26e-42b4-98ef-ad35128fac15", + "id": "bundle--ce08eed0-514a-4430-8f05-c07b5ea9906e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c69eab3c-861c-45f5-8858-a595fcc7e6f6.json b/ics-attack/relationship/relationship--c69eab3c-861c-45f5-8858-a595fcc7e6f6.json index 561190618d..cc6f604cf9 100644 --- a/ics-attack/relationship/relationship--c69eab3c-861c-45f5-8858-a595fcc7e6f6.json +++ b/ics-attack/relationship/relationship--c69eab3c-861c-45f5-8858-a595fcc7e6f6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a40143d9-cace-4d38-9a67-e72e09623f32", + "id": "bundle--6fe5fc96-5526-4d63-be90-bcf8e6e77582", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--493e1d96-a534-4c4a-80d1-516616b0cc44.json b/ics-attack/relationship/relationship--c71fafe8-ed54-44d1-be6e-9a018eb9a90f.json similarity index 75% rename from ics-attack/relationship/relationship--493e1d96-a534-4c4a-80d1-516616b0cc44.json rename to ics-attack/relationship/relationship--c71fafe8-ed54-44d1-be6e-9a018eb9a90f.json index 8bec5ec95b..201fee6001 100644 --- a/ics-attack/relationship/relationship--493e1d96-a534-4c4a-80d1-516616b0cc44.json +++ b/ics-attack/relationship/relationship--c71fafe8-ed54-44d1-be6e-9a018eb9a90f.json @@ -1,21 +1,21 @@ { "type": "bundle", - "id": "bundle--42331113-82b9-439d-8290-a61738087812", + "id": "bundle--e4627b44-1a1a-4e0e-b35f-8e18cc6d0895", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--493e1d96-a534-4c4a-80d1-516616b0cc44", + "id": "relationship--c71fafe8-ed54-44d1-be6e-9a018eb9a90f", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--d8cb1dd3-8bf2-48e7-99db-473481b823a8", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" diff --git a/ics-attack/relationship/relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b.json b/ics-attack/relationship/relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b.json index 84e13df500..df88a7775b 100644 --- a/ics-attack/relationship/relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b.json +++ b/ics-attack/relationship/relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--01a34db5-13b1-4c32-ad3e-5cd6cf706a23", + "id": "bundle--264b795f-4d59-430e-b571-008a8fc11b20", "spec_version": "2.0", "objects": [ { @@ -8,6 +8,7 @@ "id": "relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "National Institute of Standards and Technology April 2013", @@ -18,14 +19,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:26:51.473Z", - "description": "When at rest, project files should be encrypted to prevent unauthorized changes. (Citation: National Institute of Standards and Technology April 2013)\n", + "modified": "2026-04-23T19:36:36.508Z", + "description": "When at rest, project files should be encrypted to prevent unauthorized changes.(Citation: National Institute of Standards and Technology April 2013)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c7aac6c9-da16-46e2-8cfa-dca07a0a7562.json b/ics-attack/relationship/relationship--c7aac6c9-da16-46e2-8cfa-dca07a0a7562.json index 2032ba927e..a0ae8194bc 100644 --- a/ics-attack/relationship/relationship--c7aac6c9-da16-46e2-8cfa-dca07a0a7562.json +++ b/ics-attack/relationship/relationship--c7aac6c9-da16-46e2-8cfa-dca07a0a7562.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3901549c-1be2-4d12-b771-729125a8aad5", + "id": "bundle--070942d8-be8c-4df0-ab23-9bef2c2a15b2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c7ae1f86-2029-4354-896b-baace526bf3c.json b/ics-attack/relationship/relationship--c7ae1f86-2029-4354-896b-baace526bf3c.json new file mode 100644 index 0000000000..aa935cbbd2 --- /dev/null +++ b/ics-attack/relationship/relationship--c7ae1f86-2029-4354-896b-baace526bf3c.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--e32b6889-26ff-4094-acfe-a54f06355e4d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c7ae1f86-2029-4354-896b-baace526bf3c", + "created": "2026-04-22T13:56:41.640Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T18:56:07.376Z", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.(Citation: Department of Homeland Security September 2016)\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c7c75b98-3fb2-46fd-93de-4e59f3181dae.json b/ics-attack/relationship/relationship--c7c75b98-3fb2-46fd-93de-4e59f3181dae.json new file mode 100644 index 0000000000..dd0c22a000 --- /dev/null +++ b/ics-attack/relationship/relationship--c7c75b98-3fb2-46fd-93de-4e59f3181dae.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--05087d06-1411-400f-b8fb-760715c5096b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c7c75b98-3fb2-46fd-93de-4e59f3181dae", + "created": "2026-04-20T20:58:49.920Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:58:49.920Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "target_ref": "attack-pattern--6b335943-c3af-430e-a135-ab09623bdc20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c80a479e-5e7b-449b-ace0-b5ced0d2d442.json b/ics-attack/relationship/relationship--c80a479e-5e7b-449b-ace0-b5ced0d2d442.json index 31f1625457..61eeb5cff2 100644 --- a/ics-attack/relationship/relationship--c80a479e-5e7b-449b-ace0-b5ced0d2d442.json +++ b/ics-attack/relationship/relationship--c80a479e-5e7b-449b-ace0-b5ced0d2d442.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--60744292-b810-41c2-bac9-6fd8972e9cb2", + "id": "bundle--4c6d4376-f98d-4e55-9126-5874ef1b18bf", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--60a55b7b-29a5-437e-83a7-edbe6f3c4415", "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", diff --git a/ics-attack/relationship/relationship--c8222300-6c5e-42d6-ae67-3595407b89fd.json b/ics-attack/relationship/relationship--c8222300-6c5e-42d6-ae67-3595407b89fd.json index 8994b852f3..080c1873bd 100644 --- a/ics-attack/relationship/relationship--c8222300-6c5e-42d6-ae67-3595407b89fd.json +++ b/ics-attack/relationship/relationship--c8222300-6c5e-42d6-ae67-3595407b89fd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ec6cf96a-bb1f-4524-84df-ca213607299f", + "id": "bundle--46a0224f-5024-4837-aac1-759c0aaf4aa5", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--c8222300-6c5e-42d6-ae67-3595407b89fd", "created": "2024-04-09T20:54:39.801Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:40.569Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--c84e39ab-30c1-40e3-95a8-fcbb271e913c.json b/ics-attack/relationship/relationship--c84e39ab-30c1-40e3-95a8-fcbb271e913c.json index ec466fd50e..18e82edabe 100644 --- a/ics-attack/relationship/relationship--c84e39ab-30c1-40e3-95a8-fcbb271e913c.json +++ b/ics-attack/relationship/relationship--c84e39ab-30c1-40e3-95a8-fcbb271e913c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c912ab0c-4fc2-4c49-9766-09ffdf7cf999", + "id": "bundle--c75f58e2-0a75-4b1e-9e7f-cabe7fe76bff", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--c84e39ab-30c1-40e3-95a8-fcbb271e913c", "created": "2022-05-06T17:47:21.168Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Carl Hurd March 2019", diff --git a/ics-attack/relationship/relationship--c892fb0a-4c9f-4332-a0d3-974a8fcab565.json b/ics-attack/relationship/relationship--c892fb0a-4c9f-4332-a0d3-974a8fcab565.json new file mode 100644 index 0000000000..3f8b072451 --- /dev/null +++ b/ics-attack/relationship/relationship--c892fb0a-4c9f-4332-a0d3-974a8fcab565.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--186a4f54-c7b6-4979-864c-61eceabd72c2", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c892fb0a-4c9f-4332-a0d3-974a8fcab565", + "created": "2026-04-20T20:54:22.907Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:22.907Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "target_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c8a40335-90d6-496a-b4f9-1cc93d3fffc6.json b/ics-attack/relationship/relationship--c8a40335-90d6-496a-b4f9-1cc93d3fffc6.json index 1b50816f60..877d7fdb21 100644 --- a/ics-attack/relationship/relationship--c8a40335-90d6-496a-b4f9-1cc93d3fffc6.json +++ b/ics-attack/relationship/relationship--c8a40335-90d6-496a-b4f9-1cc93d3fffc6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d727c8ad-33d9-44fe-932e-9cded8f9b3bf", + "id": "bundle--ae829fce-c0ac-4cc6-9668-3fb2cde36f36", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c8c5e01d-cf78-402c-9f52-6f5c306fd300.json b/ics-attack/relationship/relationship--c8c5e01d-cf78-402c-9f52-6f5c306fd300.json new file mode 100644 index 0000000000..a01d303fe0 --- /dev/null +++ b/ics-attack/relationship/relationship--c8c5e01d-cf78-402c-9f52-6f5c306fd300.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--bd509497-c0f6-4338-a56f-d5ead68d5f05", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c8c5e01d-cf78-402c-9f52-6f5c306fd300", + "created": "2026-04-22T18:58:29.496Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T18:58:29.496Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c8dd2735-bd04-4413-847d-316b77c6de19.json b/ics-attack/relationship/relationship--c8dd2735-bd04-4413-847d-316b77c6de19.json index 992c7c03f1..f7b6014365 100644 --- a/ics-attack/relationship/relationship--c8dd2735-bd04-4413-847d-316b77c6de19.json +++ b/ics-attack/relationship/relationship--c8dd2735-bd04-4413-847d-316b77c6de19.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--97d05a74-37a6-49fc-8723-3ed080e4c104", + "id": "bundle--f1d2ba08-2c68-4e7a-88aa-88ad24a2ac2a", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--c8dd2735-bd04-4413-847d-316b77c6de19", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--c8e78d6f-ac9d-4ad3-ae13-238f1eb4423a.json b/ics-attack/relationship/relationship--c8e78d6f-ac9d-4ad3-ae13-238f1eb4423a.json index 00ade58dac..0279426e80 100644 --- a/ics-attack/relationship/relationship--c8e78d6f-ac9d-4ad3-ae13-238f1eb4423a.json +++ b/ics-attack/relationship/relationship--c8e78d6f-ac9d-4ad3-ae13-238f1eb4423a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--443e8ebe-2d16-476c-8aba-688d3ba84a35", + "id": "bundle--80b5d87a-d42a-4ecc-85a0-86fe53e3dd91", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--c8e78d6f-ac9d-4ad3-ae13-238f1eb4423a", "created": "2023-09-27T13:22:13.265Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", diff --git a/ics-attack/relationship/relationship--c9065f74-556d-4728-8072-f96642e70316.json b/ics-attack/relationship/relationship--c9065f74-556d-4728-8072-f96642e70316.json index f33773e10f..5d0828d6e6 100644 --- a/ics-attack/relationship/relationship--c9065f74-556d-4728-8072-f96642e70316.json +++ b/ics-attack/relationship/relationship--c9065f74-556d-4728-8072-f96642e70316.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fcb3a967-4551-45ef-9ad3-ee6a08f7dc56", + "id": "bundle--e24dd65a-85a3-41bd-9ccc-3438ea1d2b6b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c90cfddb-253b-41c8-9057-2abde6f8aa6d.json b/ics-attack/relationship/relationship--c90cfddb-253b-41c8-9057-2abde6f8aa6d.json index e5996a0720..d86043dc27 100644 --- a/ics-attack/relationship/relationship--c90cfddb-253b-41c8-9057-2abde6f8aa6d.json +++ b/ics-attack/relationship/relationship--c90cfddb-253b-41c8-9057-2abde6f8aa6d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5d7d94da-e88d-43f9-90cb-71c9b9964779", + "id": "bundle--715c903c-de4f-40e7-a154-bf8059afb762", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--c90cfddb-253b-41c8-9057-2abde6f8aa6d", "created": "2021-04-12T18:49:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "SecureWorks September 2019", diff --git a/ics-attack/relationship/relationship--c91514db-4e02-459e-9ff4-5092fdffb049.json b/ics-attack/relationship/relationship--c91514db-4e02-459e-9ff4-5092fdffb049.json new file mode 100644 index 0000000000..ae1967939b --- /dev/null +++ b/ics-attack/relationship/relationship--c91514db-4e02-459e-9ff4-5092fdffb049.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--381b55f7-4a09-47cb-afc5-1e18b8f369bc", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c91514db-4e02-459e-9ff4-5092fdffb049", + "created": "2026-04-23T00:39:44.358Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:34:27.166Z", + "description": "Filter for protocols and payloads associated with program download activity to prevent unauthorized device configurations.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c.json b/ics-attack/relationship/relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c.json index e628e59ad5..e9255b33a8 100644 --- a/ics-attack/relationship/relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c.json +++ b/ics-attack/relationship/relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b70b3e50-a9bf-44f2-ad6b-220af3232fa4", + "id": "bundle--227a236c-0eef-4e69-abec-3a5f94ca0b34", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c95850f4-4616-435c-b237-f1985833d40e.json b/ics-attack/relationship/relationship--c95850f4-4616-435c-b237-f1985833d40e.json index c1c0a1b3a0..e64c675e37 100644 --- a/ics-attack/relationship/relationship--c95850f4-4616-435c-b237-f1985833d40e.json +++ b/ics-attack/relationship/relationship--c95850f4-4616-435c-b237-f1985833d40e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--827394a9-25f0-4424-938f-4ed2fccd8a08", + "id": "bundle--d1d7364a-d504-4c4b-9a9a-6bc5ac4ed77b", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--c95850f4-4616-435c-b237-f1985833d40e", "created": "2023-09-29T16:29:39.918Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:42.076Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--c95ce502-b63d-42c6-a9f2-5a3cb0922e27.json b/ics-attack/relationship/relationship--c95ce502-b63d-42c6-a9f2-5a3cb0922e27.json index b75a31255b..adc3f4b69e 100644 --- a/ics-attack/relationship/relationship--c95ce502-b63d-42c6-a9f2-5a3cb0922e27.json +++ b/ics-attack/relationship/relationship--c95ce502-b63d-42c6-a9f2-5a3cb0922e27.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f0b78527-9262-4e50-ad0f-34634dfa15f5", + "id": "bundle--1a819f1c-8abf-43f5-aef5-f1845a870334", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--97914ffd-b189-415e-9309-e63e3be01b1e", "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", diff --git a/ics-attack/relationship/relationship--3c182910-aaa9-4565-991d-55c1857a7fba.json b/ics-attack/relationship/relationship--c9efe378-d028-4c09-83c7-491fadc3a1f9.json similarity index 75% rename from ics-attack/relationship/relationship--3c182910-aaa9-4565-991d-55c1857a7fba.json rename to ics-attack/relationship/relationship--c9efe378-d028-4c09-83c7-491fadc3a1f9.json index 1fdfa9ad64..37a5e56558 100644 --- a/ics-attack/relationship/relationship--3c182910-aaa9-4565-991d-55c1857a7fba.json +++ b/ics-attack/relationship/relationship--c9efe378-d028-4c09-83c7-491fadc3a1f9.json @@ -1,21 +1,21 @@ { "type": "bundle", - "id": "bundle--c19a8d2f-acda-45e3-b921-cf31ef1e53de", + "id": "bundle--a5948925-cb5f-4c41-9274-48b8e497146e", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--3c182910-aaa9-4565-991d-55c1857a7fba", + "id": "relationship--c9efe378-d028-4c09-83c7-491fadc3a1f9", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--09f46edf-33f9-4c23-af2f-74864c27f616", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.3.0" diff --git a/ics-attack/relationship/relationship--c9fb4adb-8064-426a-838d-c93674fb380b.json b/ics-attack/relationship/relationship--c9fb4adb-8064-426a-838d-c93674fb380b.json index 6c2e6ad5dd..008b10dee5 100644 --- a/ics-attack/relationship/relationship--c9fb4adb-8064-426a-838d-c93674fb380b.json +++ b/ics-attack/relationship/relationship--c9fb4adb-8064-426a-838d-c93674fb380b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3d831168-9c83-4cba-8b80-1a8cbef1f296", + "id": "bundle--456dbc85-9ddd-45df-91fe-a0a1d65f4a7a", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--c9fb4adb-8064-426a-838d-c93674fb380b", "created": "2023-09-29T18:44:38.035Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:42.312Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--ca13a117-aae0-4802-878b-c09f4a04dd31.json b/ics-attack/relationship/relationship--ca13a117-aae0-4802-878b-c09f4a04dd31.json index 61a479b71d..87556e74f9 100644 --- a/ics-attack/relationship/relationship--ca13a117-aae0-4802-878b-c09f4a04dd31.json +++ b/ics-attack/relationship/relationship--ca13a117-aae0-4802-878b-c09f4a04dd31.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--58dbc13a-f6a2-49db-be7d-ec95da813eb7", + "id": "bundle--87729fcc-69b6-401f-80d5-3c3ae99272e7", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--ca13a117-aae0-4802-878b-c09f4a04dd31", "created": "2023-09-28T20:06:50.018Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:42.722Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--ca225ea0-e813-4205-98db-707b474ae24f.json b/ics-attack/relationship/relationship--ca225ea0-e813-4205-98db-707b474ae24f.json index c48084946d..02202b333a 100644 --- a/ics-attack/relationship/relationship--ca225ea0-e813-4205-98db-707b474ae24f.json +++ b/ics-attack/relationship/relationship--ca225ea0-e813-4205-98db-707b474ae24f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--752368e4-7e8b-452c-be05-11765891db69", + "id": "bundle--437a2125-abaa-4c39-befc-93ae45e1a09d", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--ca225ea0-e813-4205-98db-707b474ae24f", "created": "2024-04-09T20:49:44.575Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:42.923Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--ca3c4d4b-cf53-4489-904f-8a220e421aeb.json b/ics-attack/relationship/relationship--ca3c4d4b-cf53-4489-904f-8a220e421aeb.json index 57be050052..c12fcfbd9a 100644 --- a/ics-attack/relationship/relationship--ca3c4d4b-cf53-4489-904f-8a220e421aeb.json +++ b/ics-attack/relationship/relationship--ca3c4d4b-cf53-4489-904f-8a220e421aeb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f807c95e-8c23-438f-9f4d-4467289bbe3a", + "id": "bundle--7c5623c9-2090-4763-9b5e-83c1692ac480", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--ca3c4d4b-cf53-4489-904f-8a220e421aeb", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Anton Cherepanov, ESET June 2017", diff --git a/ics-attack/relationship/relationship--ca5c7ae7-5273-4888-bc50-183d6e200972.json b/ics-attack/relationship/relationship--ca5c7ae7-5273-4888-bc50-183d6e200972.json index 560c057901..10d8ee1e98 100644 --- a/ics-attack/relationship/relationship--ca5c7ae7-5273-4888-bc50-183d6e200972.json +++ b/ics-attack/relationship/relationship--ca5c7ae7-5273-4888-bc50-183d6e200972.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eb013a81-f555-4faf-92bb-0000fbc745a8", + "id": "bundle--79539e15-4d76-4cea-a610-aa1f055ee6f8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ca64a927-f050-41b3-80d3-93d22cdef26a.json b/ics-attack/relationship/relationship--ca64a927-f050-41b3-80d3-93d22cdef26a.json index 935251f174..25b4d82c2d 100644 --- a/ics-attack/relationship/relationship--ca64a927-f050-41b3-80d3-93d22cdef26a.json +++ b/ics-attack/relationship/relationship--ca64a927-f050-41b3-80d3-93d22cdef26a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2587240e-68f3-4b37-9b10-e8518c33079e", + "id": "bundle--74ad16a1-a013-4103-8332-02f1c46f5494", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ca768c2a-0f14-471c-90a5-bce649e88d51.json b/ics-attack/relationship/relationship--ca768c2a-0f14-471c-90a5-bce649e88d51.json index afc4fe0769..57094987cd 100644 --- a/ics-attack/relationship/relationship--ca768c2a-0f14-471c-90a5-bce649e88d51.json +++ b/ics-attack/relationship/relationship--ca768c2a-0f14-471c-90a5-bce649e88d51.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--83f4d5a6-8cac-4e94-b593-84b439115642", + "id": "bundle--529572f7-4de1-402a-b992-48f2f940d5bb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ca77cbbf-8938-4dd0-b454-df5703bc1718.json b/ics-attack/relationship/relationship--ca77cbbf-8938-4dd0-b454-df5703bc1718.json new file mode 100644 index 0000000000..19e62e67d8 --- /dev/null +++ b/ics-attack/relationship/relationship--ca77cbbf-8938-4dd0-b454-df5703bc1718.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--991783e2-8958-4190-930b-76cfb38a1840", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ca77cbbf-8938-4dd0-b454-df5703bc1718", + "created": "2026-04-22T17:55:35.905Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T17:55:35.905Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--31773402-e407-4ed3-b86c-7a8587dc5ec9", + "target_ref": "attack-pattern--354ca909-b54d-4c41-b597-9c296b344a43", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--cad91f87-7cc7-4771-8c7b-1599793ed3c1.json b/ics-attack/relationship/relationship--cad91f87-7cc7-4771-8c7b-1599793ed3c1.json index 68288c2690..276f014f19 100644 --- a/ics-attack/relationship/relationship--cad91f87-7cc7-4771-8c7b-1599793ed3c1.json +++ b/ics-attack/relationship/relationship--cad91f87-7cc7-4771-8c7b-1599793ed3c1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1c808577-e0a4-4780-9472-040aa47791b9", + "id": "bundle--33bc3b59-9c52-4f23-867f-0d27ff5445d5", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--cad91f87-7cc7-4771-8c7b-1599793ed3c1", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Carl Hurd March 2019", diff --git a/ics-attack/relationship/relationship--cae90fbb-ba0d-4a9a-9da3-b9f32ab1cd07.json b/ics-attack/relationship/relationship--cae90fbb-ba0d-4a9a-9da3-b9f32ab1cd07.json new file mode 100644 index 0000000000..2fd95992fa --- /dev/null +++ b/ics-attack/relationship/relationship--cae90fbb-ba0d-4a9a-9da3-b9f32ab1cd07.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--f62edb21-911b-4bf6-bf5b-66b258b176e4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--cae90fbb-ba0d-4a9a-9da3-b9f32ab1cd07", + "created": "2026-04-23T00:38:14.226Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T20:09:25.837Z", + "description": "Provide the ability to verify the integrity of programs downloaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used.(Citation: IEC February 2019)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b.json b/ics-attack/relationship/relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b.json index ff6a40658e..3e40e11eaa 100644 --- a/ics-attack/relationship/relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b.json +++ b/ics-attack/relationship/relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--479590c4-35ec-4f40-9b45-1eb72167afd1", + "id": "bundle--eb2728d1-70fb-4f47-937f-d281a7e8893f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d.json b/ics-attack/relationship/relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d.json index d2314b347d..0bfe95213f 100644 --- a/ics-attack/relationship/relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d.json +++ b/ics-attack/relationship/relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1df2c076-4e94-4f1c-b39a-861b43cf8671", + "id": "bundle--a5325cc3-5d70-401b-a45f-b42697f974e3", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--cb38425c-646d-4bc8-bdea-e6cc630c3034.json b/ics-attack/relationship/relationship--cb38425c-646d-4bc8-bdea-e6cc630c3034.json index 07d6e09a27..10917cee06 100644 --- a/ics-attack/relationship/relationship--cb38425c-646d-4bc8-bdea-e6cc630c3034.json +++ b/ics-attack/relationship/relationship--cb38425c-646d-4bc8-bdea-e6cc630c3034.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e1fff4ac-2dcf-4fbb-874e-e6e8bec1a3f8", + "id": "bundle--94cd0be4-9b80-4f38-be43-7dad3d29e1d2", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--cb38425c-646d-4bc8-bdea-e6cc630c3034", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", diff --git a/ics-attack/relationship/relationship--cb47a3bb-daec-4aa1-9a92-af2a61bb65cd.json b/ics-attack/relationship/relationship--cb47a3bb-daec-4aa1-9a92-af2a61bb65cd.json index fb4c94f95d..9957955a29 100644 --- a/ics-attack/relationship/relationship--cb47a3bb-daec-4aa1-9a92-af2a61bb65cd.json +++ b/ics-attack/relationship/relationship--cb47a3bb-daec-4aa1-9a92-af2a61bb65cd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0b8b267b-2df4-40da-978a-8a2be15c76ec", + "id": "bundle--14af7e2f-41dc-4bd4-97a4-608a15287731", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--cb47a3bb-daec-4aa1-9a92-af2a61bb65cd", "created": "2023-09-28T21:14:29.099Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:44.717Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--cb4d802e-df5b-4017-81dd-47f65fff23a3.json b/ics-attack/relationship/relationship--cb4d802e-df5b-4017-81dd-47f65fff23a3.json index 655de75b4c..f23e1897f9 100644 --- a/ics-attack/relationship/relationship--cb4d802e-df5b-4017-81dd-47f65fff23a3.json +++ b/ics-attack/relationship/relationship--cb4d802e-df5b-4017-81dd-47f65fff23a3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eb2be617-d27a-4dc7-9937-97c2907e3397", + "id": "bundle--b26eb113-b3f7-4187-bd7f-9a592d6396c3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cb6d67c0-33ba-4c49-ae70-d0e4f0f68794.json b/ics-attack/relationship/relationship--cb6d67c0-33ba-4c49-ae70-d0e4f0f68794.json index 47a3ce792c..411cef0e1f 100644 --- a/ics-attack/relationship/relationship--cb6d67c0-33ba-4c49-ae70-d0e4f0f68794.json +++ b/ics-attack/relationship/relationship--cb6d67c0-33ba-4c49-ae70-d0e4f0f68794.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9c184f5a-084f-4eb1-9df6-dc0ae0acdf06", + "id": "bundle--0d05103b-5215-45d6-bf13-626be70aa68c", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--cb6d67c0-33ba-4c49-ae70-d0e4f0f68794", "created": "2023-03-30T14:08:42.386Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "M. Rentschler and H. Heine", diff --git a/ics-attack/relationship/relationship--b352884f-2a60-41c6-b348-0bbb5859802a.json b/ics-attack/relationship/relationship--cb6e6679-42b7-48ce-b546-7c45cdefb4c5.json similarity index 71% rename from ics-attack/relationship/relationship--b352884f-2a60-41c6-b348-0bbb5859802a.json rename to ics-attack/relationship/relationship--cb6e6679-42b7-48ce-b546-7c45cdefb4c5.json index ae836bfa42..c3b64889a9 100644 --- a/ics-attack/relationship/relationship--b352884f-2a60-41c6-b348-0bbb5859802a.json +++ b/ics-attack/relationship/relationship--cb6e6679-42b7-48ce-b546-7c45cdefb4c5.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--0a34d345-998a-429a-be41-1969f6d81a79", + "id": "bundle--e9068c84-c6c9-4d1d-aed4-8499d55760bf", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--b352884f-2a60-41c6-b348-0bbb5859802a", + "id": "relationship--cb6e6679-42b7-48ce-b546-7c45cdefb4c5", "created": "2023-09-28T20:01:52.459Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:16.436Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "source_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--bf8e68fe-1969-48d1-be0e-ec742378748d.json b/ics-attack/relationship/relationship--cb7fc6bb-f62d-4316-91d3-ecab283e2976.json similarity index 71% rename from ics-attack/relationship/relationship--bf8e68fe-1969-48d1-be0e-ec742378748d.json rename to ics-attack/relationship/relationship--cb7fc6bb-f62d-4316-91d3-ecab283e2976.json index 07acb08573..e462413508 100644 --- a/ics-attack/relationship/relationship--bf8e68fe-1969-48d1-be0e-ec742378748d.json +++ b/ics-attack/relationship/relationship--cb7fc6bb-f62d-4316-91d3-ecab283e2976.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--4029fdec-64d8-4007-992d-1c837adcc2c9", + "id": "bundle--a212ea41-c5bf-4f5c-a125-21b056ce3039", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--bf8e68fe-1969-48d1-be0e-ec742378748d", + "id": "relationship--cb7fc6bb-f62d-4316-91d3-ecab283e2976", "created": "2023-09-29T18:56:34.302Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:30.459Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--cb84ce4c-4fb7-4e16-b10c-c932d34f0699.json b/ics-attack/relationship/relationship--cb84ce4c-4fb7-4e16-b10c-c932d34f0699.json new file mode 100644 index 0000000000..cc48282ff8 --- /dev/null +++ b/ics-attack/relationship/relationship--cb84ce4c-4fb7-4e16-b10c-c932d34f0699.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--e2860231-08dd-44fa-9690-dfdf315fa32d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--cb84ce4c-4fb7-4e16-b10c-c932d34f0699", + "created": "2026-04-22T21:36:37.108Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:36:37.108Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--cb993689-bb59-4c96-b9fd-42cfcb92d76f.json b/ics-attack/relationship/relationship--cb993689-bb59-4c96-b9fd-42cfcb92d76f.json new file mode 100644 index 0000000000..ce789dc8a0 --- /dev/null +++ b/ics-attack/relationship/relationship--cb993689-bb59-4c96-b9fd-42cfcb92d76f.json @@ -0,0 +1,42 @@ +{ + "type": "bundle", + "id": "bundle--06195da4-1d8e-4a09-8bb2-af4ab9a6de39", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--cb993689-bb59-4c96-b9fd-42cfcb92d76f", + "created": "2026-04-22T16:03:21.013Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ESET Research Whitepapers September 2018", + "description": "ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" + }, + { + "source_name": "Intel", + "description": "Intel ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 Intel Hardware-based Security Technologies for Intelligent Retail Devices Retrieved. 2020/09/25 ", + "url": "https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf" + }, + { + "source_name": "N/A", + "description": "N/A Trusted Platform Module (TPM) Summary Retrieved. 2020/09/25 ", + "url": "https://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:07:32.354Z", + "description": "Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology.(Citation: N/A) Move system's root of trust to hardware to prevent tampering with the SPI flash memory.(Citation: ESET Research Whitepapers September 2018) Technologies such as Intel Boot Guard can assist with this.(Citation: Intel)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--cba8313b-c338-45f7-88ef-a514094882ac.json b/ics-attack/relationship/relationship--cba8313b-c338-45f7-88ef-a514094882ac.json index c42c9fe169..ee5dbb0bf0 100644 --- a/ics-attack/relationship/relationship--cba8313b-c338-45f7-88ef-a514094882ac.json +++ b/ics-attack/relationship/relationship--cba8313b-c338-45f7-88ef-a514094882ac.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f9e980e3-1f3e-46c2-92ae-09d6e11de51b", + "id": "bundle--fe773679-e111-4f23-a984-636f73a5bc80", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--cba8313b-c338-45f7-88ef-a514094882ac", "created": "2022-09-28T20:28:39.348Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Wylie-22", diff --git a/ics-attack/relationship/relationship--cbc62104-d3df-499c-9630-b510e99f3acd.json b/ics-attack/relationship/relationship--cbc62104-d3df-499c-9630-b510e99f3acd.json index ee17099ff7..461ee3f1a7 100644 --- a/ics-attack/relationship/relationship--cbc62104-d3df-499c-9630-b510e99f3acd.json +++ b/ics-attack/relationship/relationship--cbc62104-d3df-499c-9630-b510e99f3acd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f40b0478-b436-4ccd-9f41-a7803a83fe0d", + "id": "bundle--0440c5d5-2abb-4ba7-a648-1e28e15875d2", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--cbc62104-d3df-499c-9630-b510e99f3acd", "created": "2025-09-29T19:07:05.860Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--cbc65a60-3b40-4ecf-a10d-8ef1be72568d.json b/ics-attack/relationship/relationship--cbc65a60-3b40-4ecf-a10d-8ef1be72568d.json index 17894706ad..68d186e51b 100644 --- a/ics-attack/relationship/relationship--cbc65a60-3b40-4ecf-a10d-8ef1be72568d.json +++ b/ics-attack/relationship/relationship--cbc65a60-3b40-4ecf-a10d-8ef1be72568d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f2e2aeed-e42a-4d18-ae29-aa2ec1a89b4c", + "id": "bundle--4ec437c0-8dfa-40d1-b5de-01c26938d7b9", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--cbc65a60-3b40-4ecf-a10d-8ef1be72568d", "created": "2024-04-09T20:54:26.301Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:45.573Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--cbee31a0-716c-4b10-83f0-aa889bfb4749.json b/ics-attack/relationship/relationship--cbee31a0-716c-4b10-83f0-aa889bfb4749.json index 99589693ce..4dd124bb12 100644 --- a/ics-attack/relationship/relationship--cbee31a0-716c-4b10-83f0-aa889bfb4749.json +++ b/ics-attack/relationship/relationship--cbee31a0-716c-4b10-83f0-aa889bfb4749.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0cd0a859-7b5f-4c05-b368-839dccda4648", + "id": "bundle--ab2856a6-5ff2-4672-b35d-4198d0a7e3bc", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--cbee31a0-716c-4b10-83f0-aa889bfb4749", "created": "2023-10-20T17:05:25.595Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:45.801Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--eff19f74-4940-4c8e-a3b3-b3c16fe3f5e0.json b/ics-attack/relationship/relationship--cc1f9236-42f2-463f-9894-44197fbe2867.json similarity index 71% rename from ics-attack/relationship/relationship--eff19f74-4940-4c8e-a3b3-b3c16fe3f5e0.json rename to ics-attack/relationship/relationship--cc1f9236-42f2-463f-9894-44197fbe2867.json index 2b269bead7..b5bd8e0fc8 100644 --- a/ics-attack/relationship/relationship--eff19f74-4940-4c8e-a3b3-b3c16fe3f5e0.json +++ b/ics-attack/relationship/relationship--cc1f9236-42f2-463f-9894-44197fbe2867.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--6ce6a186-9a73-468b-b1c0-ed04df31a4ce", + "id": "bundle--1a505d7d-eb1c-4c63-ba6e-1c9b92903d0f", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--eff19f74-4940-4c8e-a3b3-b3c16fe3f5e0", + "id": "relationship--cc1f9236-42f2-463f-9894-44197fbe2867", "created": "2023-09-29T16:39:09.447Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:24.415Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "source_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--cc5c77ce-c5a3-4791-b80e-09d35282443a.json b/ics-attack/relationship/relationship--cc5c77ce-c5a3-4791-b80e-09d35282443a.json index 23ad37fb4a..b16a181f48 100644 --- a/ics-attack/relationship/relationship--cc5c77ce-c5a3-4791-b80e-09d35282443a.json +++ b/ics-attack/relationship/relationship--cc5c77ce-c5a3-4791-b80e-09d35282443a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f3c5f243-c51a-42db-b4ee-436504868406", + "id": "bundle--7c598c30-e571-4c37-816a-bd317e332322", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--cc5c77ce-c5a3-4791-b80e-09d35282443a", "created": "2023-09-29T16:30:08.166Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:46.007Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--cca191a1-3c50-4d4f-8f79-4247e58af610.json b/ics-attack/relationship/relationship--cca191a1-3c50-4d4f-8f79-4247e58af610.json index cb930b904e..8dcac05c8b 100644 --- a/ics-attack/relationship/relationship--cca191a1-3c50-4d4f-8f79-4247e58af610.json +++ b/ics-attack/relationship/relationship--cca191a1-3c50-4d4f-8f79-4247e58af610.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--162f186a-673f-44e1-b7ea-681be95ad22c", + "id": "bundle--2258a5a6-681c-42c1-a329-9ea250803390", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ccae6e5d-8a9e-4bab-ae77-26a2bd722f67.json b/ics-attack/relationship/relationship--ccae6e5d-8a9e-4bab-ae77-26a2bd722f67.json index b59b4aa448..d542ed480f 100644 --- a/ics-attack/relationship/relationship--ccae6e5d-8a9e-4bab-ae77-26a2bd722f67.json +++ b/ics-attack/relationship/relationship--ccae6e5d-8a9e-4bab-ae77-26a2bd722f67.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5c3e2cc7-f01a-4af9-ae05-3fb905496ae4", + "id": "bundle--dd0c684e-45bb-4085-9050-e5deea37d385", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--ccae6e5d-8a9e-4bab-ae77-26a2bd722f67", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", diff --git a/ics-attack/relationship/relationship--ccbb44ad-2220-4260-99ce-9142c44fc797.json b/ics-attack/relationship/relationship--ccbb44ad-2220-4260-99ce-9142c44fc797.json index da7835e3bc..1fe3b991d0 100644 --- a/ics-attack/relationship/relationship--ccbb44ad-2220-4260-99ce-9142c44fc797.json +++ b/ics-attack/relationship/relationship--ccbb44ad-2220-4260-99ce-9142c44fc797.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b6f2c439-b308-432b-8544-fa3ca91074b9", + "id": "bundle--64f2f07f-04b2-4b4c-b769-a40523a9b4ea", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--ccbb44ad-2220-4260-99ce-9142c44fc797", "created": "2023-09-28T21:10:03.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:46.864Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--ccc5523f-b7a7-4bd1-a9a2-eb00f44cc778.json b/ics-attack/relationship/relationship--ccc5523f-b7a7-4bd1-a9a2-eb00f44cc778.json new file mode 100644 index 0000000000..5bd8feccf5 --- /dev/null +++ b/ics-attack/relationship/relationship--ccc5523f-b7a7-4bd1-a9a2-eb00f44cc778.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--09ea3f11-65e2-4bfa-a2e9-6ed64ff9a2f1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ccc5523f-b7a7-4bd1-a9a2-eb00f44cc778", + "created": "2026-04-22T22:46:35.212Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:46:35.212Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ccc67bb3-acc3-4294-81b3-4a0d972f2dd7.json b/ics-attack/relationship/relationship--ccc67bb3-acc3-4294-81b3-4a0d972f2dd7.json index c7595e426c..72146af28d 100644 --- a/ics-attack/relationship/relationship--ccc67bb3-acc3-4294-81b3-4a0d972f2dd7.json +++ b/ics-attack/relationship/relationship--ccc67bb3-acc3-4294-81b3-4a0d972f2dd7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3afe221d-40d5-4429-8cea-f2bcdf6895db", + "id": "bundle--9c6d4754-1de7-44ce-9454-820072e4ad03", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--ccc67bb3-acc3-4294-81b3-4a0d972f2dd7", "created": "2021-04-13T12:08:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Jos Wetzels January 2018", diff --git a/ics-attack/relationship/relationship--ccef2177-65ca-4126-bcd9-dd6ffb4c5e06.json b/ics-attack/relationship/relationship--ccef2177-65ca-4126-bcd9-dd6ffb4c5e06.json index 660384af57..1e99f9b80d 100644 --- a/ics-attack/relationship/relationship--ccef2177-65ca-4126-bcd9-dd6ffb4c5e06.json +++ b/ics-attack/relationship/relationship--ccef2177-65ca-4126-bcd9-dd6ffb4c5e06.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fc11404d-cbf5-43b3-aae6-bfc800f9e330", + "id": "bundle--95d1e821-4039-4011-a02c-8861d89d96cc", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--9f3df5ac-caa0-4189-9b9b-dcf2f6bbdc54", "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", diff --git a/ics-attack/relationship/relationship--cd0ba68b-398b-4df1-b9bd-c1ea3ba0791f.json b/ics-attack/relationship/relationship--cd0ba68b-398b-4df1-b9bd-c1ea3ba0791f.json new file mode 100644 index 0000000000..9ea5d747be --- /dev/null +++ b/ics-attack/relationship/relationship--cd0ba68b-398b-4df1-b9bd-c1ea3ba0791f.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--861fea0f-8d5d-41f7-90ac-97378b0e1938", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--cd0ba68b-398b-4df1-b9bd-c1ea3ba0791f", + "created": "2026-04-22T18:56:41.507Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T18:56:41.507Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--bb141168-ae41-4974-8ece-dc9b63e59237", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--cd18f19c-71dc-4b7b-929c-647804d4c614.json b/ics-attack/relationship/relationship--cd18f19c-71dc-4b7b-929c-647804d4c614.json new file mode 100644 index 0000000000..2f4d835363 --- /dev/null +++ b/ics-attack/relationship/relationship--cd18f19c-71dc-4b7b-929c-647804d4c614.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--00e48828-a612-4b8b-afba-782113b2709a", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--cd18f19c-71dc-4b7b-929c-647804d4c614", + "created": "2026-04-22T21:38:36.440Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:38:36.440Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--cd1be463-233c-43c8-b03d-fa0d6bdd8427.json b/ics-attack/relationship/relationship--cd1be463-233c-43c8-b03d-fa0d6bdd8427.json new file mode 100644 index 0000000000..1b7d55c573 --- /dev/null +++ b/ics-attack/relationship/relationship--cd1be463-233c-43c8-b03d-fa0d6bdd8427.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--e062db72-1e03-4860-96fc-648de64e3eee", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--cd1be463-233c-43c8-b03d-fa0d6bdd8427", + "created": "2026-04-20T20:54:19.034Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:19.034Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", + "target_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--cd645dbe-000a-43f9-86e6-622bb1ab1053.json b/ics-attack/relationship/relationship--cd645dbe-000a-43f9-86e6-622bb1ab1053.json new file mode 100644 index 0000000000..3cd6bbc0f7 --- /dev/null +++ b/ics-attack/relationship/relationship--cd645dbe-000a-43f9-86e6-622bb1ab1053.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--d7bae56d-38df-4623-9cf1-cff5a0c5aaee", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--cd645dbe-000a-43f9-86e6-622bb1ab1053", + "created": "2026-04-23T00:41:02.190Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:38:51.867Z", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--cd6f1ca4-aaec-451d-b855-55cdb0c3dde8.json b/ics-attack/relationship/relationship--cd6f1ca4-aaec-451d-b855-55cdb0c3dde8.json index 7d4829589d..770dbd07a4 100644 --- a/ics-attack/relationship/relationship--cd6f1ca4-aaec-451d-b855-55cdb0c3dde8.json +++ b/ics-attack/relationship/relationship--cd6f1ca4-aaec-451d-b855-55cdb0c3dde8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--316ef7a2-fac1-4d9f-97a0-241a008b8036", + "id": "bundle--1111524d-0e1b-474b-bab3-1fe9770e8e98", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--cd6f1ca4-aaec-451d-b855-55cdb0c3dde8", "created": "2024-03-28T14:27:34.578Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Triton-EENews-2017", diff --git a/ics-attack/relationship/relationship--acace658-da7e-4a19-aa98-8aec8c966dde.json b/ics-attack/relationship/relationship--cdc5aea4-1aac-4e6b-86cd-39617629d96b.json similarity index 86% rename from ics-attack/relationship/relationship--acace658-da7e-4a19-aa98-8aec8c966dde.json rename to ics-attack/relationship/relationship--cdc5aea4-1aac-4e6b-86cd-39617629d96b.json index 6e65559a96..27c2cd28d8 100644 --- a/ics-attack/relationship/relationship--acace658-da7e-4a19-aa98-8aec8c966dde.json +++ b/ics-attack/relationship/relationship--cdc5aea4-1aac-4e6b-86cd-39617629d96b.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--a85f8264-ed29-49c1-b574-2e772ca0925f", + "id": "bundle--7f3123a0-b20c-405e-8baf-d2949dda6ca5", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--acace658-da7e-4a19-aa98-8aec8c966dde", + "id": "relationship--cdc5aea4-1aac-4e6b-86cd-39617629d96b", "created": "2023-09-27T14:53:03.323Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -23,10 +23,10 @@ "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) issued unauthorized commands to substation breaks after gaining control of operator workstations and accessing a distribution management system (DMS) application. (Citation: Ukraine15 - EISAC - 201603)", "relationship_type": "uses", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ce3aad7e-1e15-40c7-916b-e25a647e9986.json b/ics-attack/relationship/relationship--ce3aad7e-1e15-40c7-916b-e25a647e9986.json index 5b7802b5b3..4cc34201ad 100644 --- a/ics-attack/relationship/relationship--ce3aad7e-1e15-40c7-916b-e25a647e9986.json +++ b/ics-attack/relationship/relationship--ce3aad7e-1e15-40c7-916b-e25a647e9986.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b9fce39b-49bc-4982-bf82-2f306982476b", + "id": "bundle--faeb3fc2-0d38-40fb-93be-223263c29f42", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--ce3aad7e-1e15-40c7-916b-e25a647e9986", "created": "2023-09-29T16:31:36.462Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:48.157Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--ce5833db-4cd2-4034-ac97-8a02b14e0095.json b/ics-attack/relationship/relationship--ce5833db-4cd2-4034-ac97-8a02b14e0095.json index 8d8e4026c2..abbb13373d 100644 --- a/ics-attack/relationship/relationship--ce5833db-4cd2-4034-ac97-8a02b14e0095.json +++ b/ics-attack/relationship/relationship--ce5833db-4cd2-4034-ac97-8a02b14e0095.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ddc8f6a1-195a-4fcd-bc67-404a091405bd", + "id": "bundle--cc2c6e47-17d3-4178-a443-545cd3499a02", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--ce5833db-4cd2-4034-ac97-8a02b14e0095", "created": "2025-09-29T19:03:17.501Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--ce64ed04-f0ff-4897-b636-3177c9c5d9bb.json b/ics-attack/relationship/relationship--ce64ed04-f0ff-4897-b636-3177c9c5d9bb.json index 132446b33e..6968ad17a9 100644 --- a/ics-attack/relationship/relationship--ce64ed04-f0ff-4897-b636-3177c9c5d9bb.json +++ b/ics-attack/relationship/relationship--ce64ed04-f0ff-4897-b636-3177c9c5d9bb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d7792071-987b-4a49-a027-d2f35c499f6f", + "id": "bundle--f5cffae1-78d7-4fd9-a966-72b96644e2fa", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f4afb180-4b30-4ed1-b094-3d74d8fd0cf1.json b/ics-attack/relationship/relationship--cea316fe-8a9d-4e7c-ab2e-6134585bb69f.json similarity index 71% rename from ics-attack/relationship/relationship--f4afb180-4b30-4ed1-b094-3d74d8fd0cf1.json rename to ics-attack/relationship/relationship--cea316fe-8a9d-4e7c-ab2e-6134585bb69f.json index 15e9d02414..b3d0f0f8e3 100644 --- a/ics-attack/relationship/relationship--f4afb180-4b30-4ed1-b094-3d74d8fd0cf1.json +++ b/ics-attack/relationship/relationship--cea316fe-8a9d-4e7c-ab2e-6134585bb69f.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--47d0d7ac-7eb8-4b1d-a095-e7074dd3b4e5", + "id": "bundle--f701e3ad-d66c-4bfd-be7e-7de5ab5ab189", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--f4afb180-4b30-4ed1-b094-3d74d8fd0cf1", + "id": "relationship--cea316fe-8a9d-4e7c-ab2e-6134585bb69f", "created": "2023-09-28T19:49:56.464Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:29.445Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--7cd47eb6-e73a-4a0b-a62e-7e066090b804.json b/ics-attack/relationship/relationship--cf3d020e-5ca7-4867-a502-654e445cc45c.json similarity index 86% rename from ics-attack/relationship/relationship--7cd47eb6-e73a-4a0b-a62e-7e066090b804.json rename to ics-attack/relationship/relationship--cf3d020e-5ca7-4867-a502-654e445cc45c.json index f92c319ceb..2a3f8e7540 100644 --- a/ics-attack/relationship/relationship--7cd47eb6-e73a-4a0b-a62e-7e066090b804.json +++ b/ics-attack/relationship/relationship--cf3d020e-5ca7-4867-a502-654e445cc45c.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--5e9e5ca4-a7c5-47fa-b0fd-412ed33048cc", + "id": "bundle--be812412-4280-4ec6-aeb4-e25c29403c9d", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--7cd47eb6-e73a-4a0b-a62e-7e066090b804", + "id": "relationship--cf3d020e-5ca7-4867-a502-654e445cc45c", "created": "2024-03-27T19:55:40.243Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -23,10 +23,10 @@ "description": "During the [2022 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0034), [Sandworm Team](https://attack.mitre.org/groups/G0034) used the MicroSCADA SCIL-API to specify a set of SCADA instructions, including the sending of unauthorized commands to substation devices.(Citation: Mandiant-Sandworm-Ukraine-2022)", "relationship_type": "uses", "source_ref": "campaign--df8eb785-70f8-4300-b444-277ba849083d", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a46f722e-4399-4aa6-b0a9-61fae9d0bf63.json b/ics-attack/relationship/relationship--cf528b10-a4e6-49ed-8bc8-4629115d7752.json similarity index 71% rename from ics-attack/relationship/relationship--a46f722e-4399-4aa6-b0a9-61fae9d0bf63.json rename to ics-attack/relationship/relationship--cf528b10-a4e6-49ed-8bc8-4629115d7752.json index a36bc3c1ff..86fcb31c3a 100644 --- a/ics-attack/relationship/relationship--a46f722e-4399-4aa6-b0a9-61fae9d0bf63.json +++ b/ics-attack/relationship/relationship--cf528b10-a4e6-49ed-8bc8-4629115d7752.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--5321797b-6ce0-4a2a-9512-70efa00d52f6", + "id": "bundle--c7630edf-883e-4865-9e6c-9bb9e209cfc7", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--a46f722e-4399-4aa6-b0a9-61fae9d0bf63", + "id": "relationship--cf528b10-a4e6-49ed-8bc8-4629115d7752", "created": "2023-09-29T17:57:44.978Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:57.777Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "source_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--cf53ff89-3c31-4f8d-83a1-b74dce4c558d.json b/ics-attack/relationship/relationship--cf53ff89-3c31-4f8d-83a1-b74dce4c558d.json index 488f2204de..f2e122936b 100644 --- a/ics-attack/relationship/relationship--cf53ff89-3c31-4f8d-83a1-b74dce4c558d.json +++ b/ics-attack/relationship/relationship--cf53ff89-3c31-4f8d-83a1-b74dce4c558d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--028ba6fc-9dab-4d29-94c5-f0d0db2e8cd1", + "id": "bundle--cd865746-9abf-47b5-a06a-1c52104bedd6", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--cf53ff89-3c31-4f8d-83a1-b74dce4c558d", "created": "2023-09-29T16:29:16.222Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:49.067Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--cf568097-5db4-4518-a786-87870dec04e0.json b/ics-attack/relationship/relationship--cf568097-5db4-4518-a786-87870dec04e0.json new file mode 100644 index 0000000000..3686955e8d --- /dev/null +++ b/ics-attack/relationship/relationship--cf568097-5db4-4518-a786-87870dec04e0.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--ba4abb1c-da29-48d4-a749-73a1621868dd", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--cf568097-5db4-4518-a786-87870dec04e0", + "created": "2026-04-22T20:27:00.492Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:27:00.492Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--cf8a816c-30ee-4147-a48f-d797fb145a04.json b/ics-attack/relationship/relationship--cf8a816c-30ee-4147-a48f-d797fb145a04.json index c5538a5957..24f47de882 100644 --- a/ics-attack/relationship/relationship--cf8a816c-30ee-4147-a48f-d797fb145a04.json +++ b/ics-attack/relationship/relationship--cf8a816c-30ee-4147-a48f-d797fb145a04.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--95ef6855-a9c9-48b6-ab8d-001ff770cbd2", + "id": "bundle--e5acf1a6-a842-48bc-a7e4-387f1c299235", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--cf8a816c-30ee-4147-a48f-d797fb145a04", "created": "2023-09-29T17:43:10.828Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:49.460Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--cf8acb4a-4918-4155-99a7-ee938278bbca.json b/ics-attack/relationship/relationship--cf8acb4a-4918-4155-99a7-ee938278bbca.json index 33f5a332b1..cf8c41d31a 100644 --- a/ics-attack/relationship/relationship--cf8acb4a-4918-4155-99a7-ee938278bbca.json +++ b/ics-attack/relationship/relationship--cf8acb4a-4918-4155-99a7-ee938278bbca.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5e348c94-d569-41ba-aa69-3fcc33480ad9", + "id": "bundle--ad6f3456-6d93-4f66-ba07-f8372e76a2ba", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--8ae936b6-b635-4104-bd11-81c18d90cf97", "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", diff --git a/ics-attack/relationship/relationship--cfaead3c-3db5-400f-bd15-dfbc57cf0185.json b/ics-attack/relationship/relationship--cfaead3c-3db5-400f-bd15-dfbc57cf0185.json index ae12bb8132..d853ffe829 100644 --- a/ics-attack/relationship/relationship--cfaead3c-3db5-400f-bd15-dfbc57cf0185.json +++ b/ics-attack/relationship/relationship--cfaead3c-3db5-400f-bd15-dfbc57cf0185.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4c4d4498-42ec-463c-9a8a-96a53b80d52f", + "id": "bundle--f3009f7d-f5be-4b96-80d5-68930d00552b", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--cfaead3c-3db5-400f-bd15-dfbc57cf0185", "created": "2023-09-28T21:15:44.547Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:49.882Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--cfb7dbe9-53ac-4b51-b031-3ae26ad1e1a5.json b/ics-attack/relationship/relationship--cfb7dbe9-53ac-4b51-b031-3ae26ad1e1a5.json new file mode 100644 index 0000000000..08e77ceebf --- /dev/null +++ b/ics-attack/relationship/relationship--cfb7dbe9-53ac-4b51-b031-3ae26ad1e1a5.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--6e498945-0dde-4a31-b4b6-6e29b141f0d3", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--cfb7dbe9-53ac-4b51-b031-3ae26ad1e1a5", + "created": "2026-04-22T20:25:44.025Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:25:44.025Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--cfc97955-3fda-4152-94c6-106f58a5579b.json b/ics-attack/relationship/relationship--cfc97955-3fda-4152-94c6-106f58a5579b.json new file mode 100644 index 0000000000..1f1a2fa646 --- /dev/null +++ b/ics-attack/relationship/relationship--cfc97955-3fda-4152-94c6-106f58a5579b.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--000cd02d-89ab-4002-ac16-dc3eb21e95b1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--cfc97955-3fda-4152-94c6-106f58a5579b", + "created": "2026-04-20T20:54:16.106Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:16.106Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", + "target_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--86e7a6d1-baa5-4a8d-9ba8-302fb0d72f9c.json b/ics-attack/relationship/relationship--cfea8d23-2078-4741-bc12-7afa7a2dffa0.json similarity index 71% rename from ics-attack/relationship/relationship--86e7a6d1-baa5-4a8d-9ba8-302fb0d72f9c.json rename to ics-attack/relationship/relationship--cfea8d23-2078-4741-bc12-7afa7a2dffa0.json index be638b0fbb..4f75e4b6c6 100644 --- a/ics-attack/relationship/relationship--86e7a6d1-baa5-4a8d-9ba8-302fb0d72f9c.json +++ b/ics-attack/relationship/relationship--cfea8d23-2078-4741-bc12-7afa7a2dffa0.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--fd57a087-ea3b-4f40-a750-9750394154f5", + "id": "bundle--a33bc88a-449a-431d-9df2-322c3dd2bf6b", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--86e7a6d1-baa5-4a8d-9ba8-302fb0d72f9c", + "id": "relationship--cfea8d23-2078-4741-bc12-7afa7a2dffa0", "created": "2023-09-28T21:09:41.659Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:29.875Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "source_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d015831c-a253-491d-9106-4ad0ccb43c3b.json b/ics-attack/relationship/relationship--d015831c-a253-491d-9106-4ad0ccb43c3b.json index 90dc1a1510..79ee7f2605 100644 --- a/ics-attack/relationship/relationship--d015831c-a253-491d-9106-4ad0ccb43c3b.json +++ b/ics-attack/relationship/relationship--d015831c-a253-491d-9106-4ad0ccb43c3b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3f79d6bd-0027-451d-94d3-e02727983bd5", + "id": "bundle--fb949fa9-59fb-43e9-890d-57b3a508a1c0", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--d015831c-a253-491d-9106-4ad0ccb43c3b", "created": "2025-09-24T18:23:51.180Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--d02812b2-23c3-4dce-bf94-c6e464e86fab.json b/ics-attack/relationship/relationship--d02812b2-23c3-4dce-bf94-c6e464e86fab.json index 43e049989f..5ea0dc25ed 100644 --- a/ics-attack/relationship/relationship--d02812b2-23c3-4dce-bf94-c6e464e86fab.json +++ b/ics-attack/relationship/relationship--d02812b2-23c3-4dce-bf94-c6e464e86fab.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--de4c79b5-9759-4846-adc7-5fa7a96ffc6f", + "id": "bundle--8229896c-9d8a-4374-aa4e-0ed26575be70", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--d02812b2-23c3-4dce-bf94-c6e464e86fab", "created": "2023-10-02T20:22:25.770Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:50.270Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", diff --git a/ics-attack/relationship/relationship--d035ee22-59f0-4d4e-9420-d26f43533b06.json b/ics-attack/relationship/relationship--d035ee22-59f0-4d4e-9420-d26f43533b06.json new file mode 100644 index 0000000000..727f00ff24 --- /dev/null +++ b/ics-attack/relationship/relationship--d035ee22-59f0-4d4e-9420-d26f43533b06.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--4fbffe44-4394-4455-b264-97d5b5236c8f", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d035ee22-59f0-4d4e-9420-d26f43533b06", + "created": "2026-04-23T00:44:17.657Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:44:17.657Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--c1645705-a26f-45b2-aa68-ff5c93dfc0f4", + "target_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d03785b3-9b51-45f2-aff5-029555c53826.json b/ics-attack/relationship/relationship--d03785b3-9b51-45f2-aff5-029555c53826.json new file mode 100644 index 0000000000..bd35553ca1 --- /dev/null +++ b/ics-attack/relationship/relationship--d03785b3-9b51-45f2-aff5-029555c53826.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--38f409de-b364-4d29-aef9-ecf89873a5b5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d03785b3-9b51-45f2-aff5-029555c53826", + "created": "2026-04-23T00:28:16.750Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T20:13:01.636Z", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems.(Citation: Department of Homeland Security September 2016)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d03de729-9235-4ceb-a1c0-935e2088020b.json b/ics-attack/relationship/relationship--d03de729-9235-4ceb-a1c0-935e2088020b.json index 1e8666c14c..e9fd7f0fa7 100644 --- a/ics-attack/relationship/relationship--d03de729-9235-4ceb-a1c0-935e2088020b.json +++ b/ics-attack/relationship/relationship--d03de729-9235-4ceb-a1c0-935e2088020b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3e98edb7-7a4a-46d3-bdac-e2ab1eafde73", + "id": "bundle--090d539c-fba0-4a0b-ab38-95adbd0dbba8", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--d03de729-9235-4ceb-a1c0-935e2088020b", "created": "2023-09-28T21:29:12.533Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:50.495Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--d0fb800d-f962-4e4f-a308-5e99374203c1.json b/ics-attack/relationship/relationship--d0fb800d-f962-4e4f-a308-5e99374203c1.json index 3025c1979c..adc59b4f15 100644 --- a/ics-attack/relationship/relationship--d0fb800d-f962-4e4f-a308-5e99374203c1.json +++ b/ics-attack/relationship/relationship--d0fb800d-f962-4e4f-a308-5e99374203c1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--41c83509-e5ec-4498-a8e3-9d79e7ec3ae1", + "id": "bundle--17dbfd60-929b-4202-b91c-cd8a9fb818c3", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--fe11c904-752f-40e2-b269-c53bbb29541a", "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", diff --git a/ics-attack/relationship/relationship--d1388bba-9869-4e3e-a6c9-430784ad924d.json b/ics-attack/relationship/relationship--d1388bba-9869-4e3e-a6c9-430784ad924d.json index 962580413e..cfe54de19d 100644 --- a/ics-attack/relationship/relationship--d1388bba-9869-4e3e-a6c9-430784ad924d.json +++ b/ics-attack/relationship/relationship--d1388bba-9869-4e3e-a6c9-430784ad924d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3f025a43-72da-4f71-a2c7-1edfaca206d6", + "id": "bundle--26ea96cd-ecd0-4436-98a3-134600e19008", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--d1388bba-9869-4e3e-a6c9-430784ad924d", "created": "2023-09-27T14:59:13.988Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Ukraine15 - EISAC - 201603", diff --git a/ics-attack/relationship/relationship--a47cd7b9-2b73-480c-a8ab-2dfa908e02ea.json b/ics-attack/relationship/relationship--d1445579-245b-4698-a7df-365379e0d36d.json similarity index 77% rename from ics-attack/relationship/relationship--a47cd7b9-2b73-480c-a8ab-2dfa908e02ea.json rename to ics-attack/relationship/relationship--d1445579-245b-4698-a7df-365379e0d36d.json index 07eab013ef..cc810660d9 100644 --- a/ics-attack/relationship/relationship--a47cd7b9-2b73-480c-a8ab-2dfa908e02ea.json +++ b/ics-attack/relationship/relationship--d1445579-245b-4698-a7df-365379e0d36d.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--576dc370-881f-4044-8d4c-f5674959284c", + "id": "bundle--d1494d99-2d22-4ac5-9cfb-630fb64841bd", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--a47cd7b9-2b73-480c-a8ab-2dfa908e02ea", + "id": "relationship--d1445579-245b-4698-a7df-365379e0d36d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -29,14 +29,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:03:57.968Z", - "description": "Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. (Citation: N/A) Move system's root of trust to hardware to prevent tampering with the SPI flash memory. (Citation: ESET Research Whitepapers September 2018) Technologies such as Intel Boot Guard can assist with this. (Citation: Intel)\n", + "modified": "2026-04-23T19:12:02.052Z", + "description": "Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology.(Citation: N/A) Move system's root of trust to hardware to prevent tampering with the SPI flash memory.(Citation: ESET Research Whitepapers September 2018) Technologies such as Intel Boot Guard can assist with this.(Citation: Intel)\n", "relationship_type": "mitigates", "source_ref": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d16e8909-d055-4174-aeb1-22c0613b2f73.json b/ics-attack/relationship/relationship--d16e8909-d055-4174-aeb1-22c0613b2f73.json index 66004df14c..fc0f6982f9 100644 --- a/ics-attack/relationship/relationship--d16e8909-d055-4174-aeb1-22c0613b2f73.json +++ b/ics-attack/relationship/relationship--d16e8909-d055-4174-aeb1-22c0613b2f73.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--079e28fc-2e6e-4f51-942f-4d439166e58b", + "id": "bundle--bb67ac5a-00bb-4570-88fc-876c6893fc04", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--d16e8909-d055-4174-aeb1-22c0613b2f73", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--d1a97502-b41d-40a8-aff5-13367fefc642.json b/ics-attack/relationship/relationship--d1a97502-b41d-40a8-aff5-13367fefc642.json index 5733f27c13..3c65ef998f 100644 --- a/ics-attack/relationship/relationship--d1a97502-b41d-40a8-aff5-13367fefc642.json +++ b/ics-attack/relationship/relationship--d1a97502-b41d-40a8-aff5-13367fefc642.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e086804a-7e7c-4f7d-8b64-2f63670e2124", + "id": "bundle--55ce1596-feae-44ee-b60a-ebff16337c96", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--d1a97502-b41d-40a8-aff5-13367fefc642", "created": "2023-09-28T21:21:45.003Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:51.534Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--d1bd77d4-9f1a-41ee-bf64-0aa7438e6896.json b/ics-attack/relationship/relationship--d1bd77d4-9f1a-41ee-bf64-0aa7438e6896.json index da1ec356a3..f9ea3802e2 100644 --- a/ics-attack/relationship/relationship--d1bd77d4-9f1a-41ee-bf64-0aa7438e6896.json +++ b/ics-attack/relationship/relationship--d1bd77d4-9f1a-41ee-bf64-0aa7438e6896.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3bcd7182-6a4f-4bf8-8c9d-6f40e52f2932", + "id": "bundle--f1912708-38e4-4f3e-bae0-178669931ee3", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--d1bd77d4-9f1a-41ee-bf64-0aa7438e6896", "created": "2023-09-29T16:28:52.111Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:51.758Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4.json b/ics-attack/relationship/relationship--d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4.json index 84dd62d5a8..ccfc4211ce 100644 --- a/ics-attack/relationship/relationship--d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4.json +++ b/ics-attack/relationship/relationship--d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--697cc8dd-f732-4776-8c88-c9f2c113d366", + "id": "bundle--748a6074-da23-4fca-b369-aa6b42958e94", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d23fd724-563d-4f49-8bcd-09c653728cd3.json b/ics-attack/relationship/relationship--d23fd724-563d-4f49-8bcd-09c653728cd3.json index d8c8a9c7a9..92642fbdb1 100644 --- a/ics-attack/relationship/relationship--d23fd724-563d-4f49-8bcd-09c653728cd3.json +++ b/ics-attack/relationship/relationship--d23fd724-563d-4f49-8bcd-09c653728cd3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5e1915b0-a121-401f-a1b9-eb5b2a8dea79", + "id": "bundle--c4fa900c-df19-4249-9b24-cc9b1ad552d6", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--d23fd724-563d-4f49-8bcd-09c653728cd3", "created": "2023-09-28T21:28:00.462Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:52.170Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--d2985b8a-7a29-4b57-b2f1-cddd79fe4242.json b/ics-attack/relationship/relationship--d2985b8a-7a29-4b57-b2f1-cddd79fe4242.json index ab583c396d..9b7e59b114 100644 --- a/ics-attack/relationship/relationship--d2985b8a-7a29-4b57-b2f1-cddd79fe4242.json +++ b/ics-attack/relationship/relationship--d2985b8a-7a29-4b57-b2f1-cddd79fe4242.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c8591b93-7b77-480e-872c-e9b99b65c1e7", + "id": "bundle--c1b7d05d-53fb-4b95-a739-61a248c43744", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--d2985b8a-7a29-4b57-b2f1-cddd79fe4242", "created": "2023-09-28T19:53:20.304Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:52.379Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--d2a434c7-4428-435e-ae6b-e54012f29606.json b/ics-attack/relationship/relationship--d2a434c7-4428-435e-ae6b-e54012f29606.json index ef8380750e..2e5cf31fa1 100644 --- a/ics-attack/relationship/relationship--d2a434c7-4428-435e-ae6b-e54012f29606.json +++ b/ics-attack/relationship/relationship--d2a434c7-4428-435e-ae6b-e54012f29606.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--423e319e-1c1d-45e1-aae6-89cc0ded0a88", + "id": "bundle--93ae3348-5462-4eaa-a089-f5b94843684d", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--d2a434c7-4428-435e-ae6b-e54012f29606", "created": "2023-09-25T20:43:52.987Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--d2dc57eb-5be2-4f9c-a4f7-18d2085ff412.json b/ics-attack/relationship/relationship--d2dc57eb-5be2-4f9c-a4f7-18d2085ff412.json index f242c933a2..8a2516eb50 100644 --- a/ics-attack/relationship/relationship--d2dc57eb-5be2-4f9c-a4f7-18d2085ff412.json +++ b/ics-attack/relationship/relationship--d2dc57eb-5be2-4f9c-a4f7-18d2085ff412.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--575939b1-4f5e-4daa-a012-040212cf2dad", + "id": "bundle--f9d1d470-06d2-4453-b17c-363db59f09b3", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--d2dc57eb-5be2-4f9c-a4f7-18d2085ff412", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Robert Falcone, Bryan Lee May 2016", diff --git a/ics-attack/relationship/relationship--d3266f04-3453-492d-b9ea-6fb9d0ce3999.json b/ics-attack/relationship/relationship--d3266f04-3453-492d-b9ea-6fb9d0ce3999.json index 1794906346..57d62b7935 100644 --- a/ics-attack/relationship/relationship--d3266f04-3453-492d-b9ea-6fb9d0ce3999.json +++ b/ics-attack/relationship/relationship--d3266f04-3453-492d-b9ea-6fb9d0ce3999.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5f959570-7979-4d04-b478-99b485fd485c", + "id": "bundle--c45dc1de-9f14-4dc6-bd93-688d01231b9e", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--d3266f04-3453-492d-b9ea-6fb9d0ce3999", "created": "2023-09-29T18:49:54.378Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:53.274Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--d3564f1f-8637-4878-a66a-3e8ea46f7a72.json b/ics-attack/relationship/relationship--d3564f1f-8637-4878-a66a-3e8ea46f7a72.json index 11b154ea0f..70e7568c44 100644 --- a/ics-attack/relationship/relationship--d3564f1f-8637-4878-a66a-3e8ea46f7a72.json +++ b/ics-attack/relationship/relationship--d3564f1f-8637-4878-a66a-3e8ea46f7a72.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--04a790d0-8ca5-4c8c-9cbd-60276b82edf1", + "id": "bundle--b18cd674-508c-4c45-8cc8-be0e9a150793", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--d3564f1f-8637-4878-a66a-3e8ea46f7a72", "created": "2023-09-28T19:38:27.199Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:53.470Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--d3717846-eaab-4fde-99f6-a972dec9323b.json b/ics-attack/relationship/relationship--d3717846-eaab-4fde-99f6-a972dec9323b.json index 6b9ba78f5c..1213e0208b 100644 --- a/ics-attack/relationship/relationship--d3717846-eaab-4fde-99f6-a972dec9323b.json +++ b/ics-attack/relationship/relationship--d3717846-eaab-4fde-99f6-a972dec9323b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1ab19688-455c-481e-bf3b-ebffd005f36e", + "id": "bundle--8555a12e-1921-41dd-8988-0c1f5379e18b", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--d3717846-eaab-4fde-99f6-a972dec9323b", "created": "2024-03-27T19:43:45.213Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos-Sandworm-Ukraine-2022", diff --git a/ics-attack/relationship/relationship--d3a24d5e-ae6e-4427-a1db-ae87b7a2b6e4.json b/ics-attack/relationship/relationship--d3a24d5e-ae6e-4427-a1db-ae87b7a2b6e4.json new file mode 100644 index 0000000000..cbd14d5502 --- /dev/null +++ b/ics-attack/relationship/relationship--d3a24d5e-ae6e-4427-a1db-ae87b7a2b6e4.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--fb161b1c-02cc-4cbe-bbf6-c2815afd7f9d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d3a24d5e-ae6e-4427-a1db-ae87b7a2b6e4", + "created": "2026-04-22T13:31:34.115Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:21:19.990Z", + "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104.json b/ics-attack/relationship/relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104.json index 9bb795e7e8..8ae069fde2 100644 --- a/ics-attack/relationship/relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104.json +++ b/ics-attack/relationship/relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--52ba57d6-dae5-4ff7-b306-092956e982bd", + "id": "bundle--05df7255-ee46-4d75-8c7c-051b914def16", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d3d4f469-9847-41ef-a478-5eaf6003d483.json b/ics-attack/relationship/relationship--d3d4f469-9847-41ef-a478-5eaf6003d483.json index d69983fea1..3bce8ded92 100644 --- a/ics-attack/relationship/relationship--d3d4f469-9847-41ef-a478-5eaf6003d483.json +++ b/ics-attack/relationship/relationship--d3d4f469-9847-41ef-a478-5eaf6003d483.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2bd9b4c2-f87a-4339-b1ec-c50c03620f69", + "id": "bundle--b48cc46c-2898-425e-b47d-3c5c2237024c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--d3d4f469-9847-41ef-a478-5eaf6003d483", "created": "2023-10-02T20:23:00.405Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:53.992Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", diff --git a/ics-attack/relationship/relationship--d3ec223b-9dca-4e5e-8d09-b69a04110eec.json b/ics-attack/relationship/relationship--d3ec223b-9dca-4e5e-8d09-b69a04110eec.json index 273bec5ce4..33da1fd362 100644 --- a/ics-attack/relationship/relationship--d3ec223b-9dca-4e5e-8d09-b69a04110eec.json +++ b/ics-attack/relationship/relationship--d3ec223b-9dca-4e5e-8d09-b69a04110eec.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a2ebb99e-a67e-4097-8e48-d9131bf410cb", + "id": "bundle--03abf6c2-9554-4aa7-8108-d5d1fbe2d8c8", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--d3ec223b-9dca-4e5e-8d09-b69a04110eec", "created": "2025-09-29T19:07:38.953Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--d40fab57-a843-45b9-a70d-6c795e1cc476.json b/ics-attack/relationship/relationship--d40fab57-a843-45b9-a70d-6c795e1cc476.json new file mode 100644 index 0000000000..c314728a3a --- /dev/null +++ b/ics-attack/relationship/relationship--d40fab57-a843-45b9-a70d-6c795e1cc476.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--1874fca6-f1d5-4838-9c99-0edb52a68a6e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d40fab57-a843-45b9-a70d-6c795e1cc476", + "created": "2026-04-22T21:41:08.012Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:41:08.012Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d45464ea-98b2-4f57-8f42-1cccc49e075f.json b/ics-attack/relationship/relationship--d45464ea-98b2-4f57-8f42-1cccc49e075f.json index b26341427b..cf48d59b9e 100644 --- a/ics-attack/relationship/relationship--d45464ea-98b2-4f57-8f42-1cccc49e075f.json +++ b/ics-attack/relationship/relationship--d45464ea-98b2-4f57-8f42-1cccc49e075f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fe8ff848-03ba-4a89-a104-1c71082bac66", + "id": "bundle--3ef3bffe-167e-41bb-9b88-9bc3a960cd89", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--d45464ea-98b2-4f57-8f42-1cccc49e075f", "created": "2025-09-24T18:14:34.036Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--d455330d-f190-4854-8087-4c2c37003b45.json b/ics-attack/relationship/relationship--d455330d-f190-4854-8087-4c2c37003b45.json index 5c5a6f4eb0..7cae0847b8 100644 --- a/ics-attack/relationship/relationship--d455330d-f190-4854-8087-4c2c37003b45.json +++ b/ics-attack/relationship/relationship--d455330d-f190-4854-8087-4c2c37003b45.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cf4dcccd-bbed-4efb-987f-ed85a7a0d79f", + "id": "bundle--6aa13cc2-0232-4960-be69-a69fe6f3056d", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--d455330d-f190-4854-8087-4c2c37003b45", "created": "2023-09-29T17:39:29.897Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:54.422Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--d462143c-69d1-44c9-b657-b64deb12eab8.json b/ics-attack/relationship/relationship--d462143c-69d1-44c9-b657-b64deb12eab8.json new file mode 100644 index 0000000000..8e0a03ae85 --- /dev/null +++ b/ics-attack/relationship/relationship--d462143c-69d1-44c9-b657-b64deb12eab8.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--c43d4675-411d-4b4c-b748-0f01d4de06a7", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d462143c-69d1-44c9-b657-b64deb12eab8", + "created": "2026-04-22T16:05:26.631Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:56:04.175Z", + "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d48894cb-457e-4a81-82b4-2d735aea5128.json b/ics-attack/relationship/relationship--d48894cb-457e-4a81-82b4-2d735aea5128.json index 612a3a3d1d..e77b8042d3 100644 --- a/ics-attack/relationship/relationship--d48894cb-457e-4a81-82b4-2d735aea5128.json +++ b/ics-attack/relationship/relationship--d48894cb-457e-4a81-82b4-2d735aea5128.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6f139f4e-d45e-4edb-9174-149d7c51103e", + "id": "bundle--85991d4b-4044-4d6f-9ded-2b91d09f6f56", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--d48894cb-457e-4a81-82b4-2d735aea5128", "created": "2023-09-28T19:50:56.496Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:54.613Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--d4968f45-d06b-4843-8f72-6e08beb94cab.json b/ics-attack/relationship/relationship--d4968f45-d06b-4843-8f72-6e08beb94cab.json index 74c6b7776d..c9f37bdee6 100644 --- a/ics-attack/relationship/relationship--d4968f45-d06b-4843-8f72-6e08beb94cab.json +++ b/ics-attack/relationship/relationship--d4968f45-d06b-4843-8f72-6e08beb94cab.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--68cdb983-f5fa-4157-b787-6b1bed4d9015", + "id": "bundle--d8ffbb07-a45e-4d5d-be0f-e45645e492f8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d4a6d928-ac0c-4b27-a3bc-e42703b5859c.json b/ics-attack/relationship/relationship--d4a6d928-ac0c-4b27-a3bc-e42703b5859c.json index 097d52fc63..68a50cb6cc 100644 --- a/ics-attack/relationship/relationship--d4a6d928-ac0c-4b27-a3bc-e42703b5859c.json +++ b/ics-attack/relationship/relationship--d4a6d928-ac0c-4b27-a3bc-e42703b5859c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7ff364e4-113b-4586-8d54-27c83b6f2e57", + "id": "bundle--57035c63-1ad9-4768-9166-9f392d8ed432", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--d4a6d928-ac0c-4b27-a3bc-e42703b5859c", "created": "2025-09-29T19:02:23.617Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--d4da5e90-7986-4c8a-bfb6-df4c0586ce87.json b/ics-attack/relationship/relationship--d4da5e90-7986-4c8a-bfb6-df4c0586ce87.json index 6cb656e306..c802179d2c 100644 --- a/ics-attack/relationship/relationship--d4da5e90-7986-4c8a-bfb6-df4c0586ce87.json +++ b/ics-attack/relationship/relationship--d4da5e90-7986-4c8a-bfb6-df4c0586ce87.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--db5bb5a6-8da1-4fa3-9dfe-8105265d6800", + "id": "bundle--d32e6897-94d6-493f-a920-f789b048288a", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--d4da5e90-7986-4c8a-bfb6-df4c0586ce87", "created": "2024-03-27T20:48:27.536Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Mandiant-Sandworm-Ukraine-2022", diff --git a/ics-attack/relationship/relationship--d4f64f95-42cd-46e6-8fcf-25ef0d868f5b.json b/ics-attack/relationship/relationship--d4f64f95-42cd-46e6-8fcf-25ef0d868f5b.json new file mode 100644 index 0000000000..6d31753774 --- /dev/null +++ b/ics-attack/relationship/relationship--d4f64f95-42cd-46e6-8fcf-25ef0d868f5b.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--e3e08097-c84a-4ce9-8c4e-fa275a43a7fd", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d4f64f95-42cd-46e6-8fcf-25ef0d868f5b", + "created": "2026-04-23T00:25:42.814Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:29:40.909Z", + "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d50a3d89-c8fa-4c5d-813e-f4495d892d1a.json b/ics-attack/relationship/relationship--d50a3d89-c8fa-4c5d-813e-f4495d892d1a.json index 439527ea46..143e2b7c37 100644 --- a/ics-attack/relationship/relationship--d50a3d89-c8fa-4c5d-813e-f4495d892d1a.json +++ b/ics-attack/relationship/relationship--d50a3d89-c8fa-4c5d-813e-f4495d892d1a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c238fdf9-dbfe-43da-a8dd-976c3f6c1fa4", + "id": "bundle--36821f3a-7e2f-4c6a-8b0c-0f34dfc3c971", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--d50a3d89-c8fa-4c5d-813e-f4495d892d1a", "created": "2019-03-25T19:13:54.947Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Joe Slowik April 2019", diff --git a/ics-attack/relationship/relationship--d5289c2e-e5c4-443d-94ec-ce9a44992065.json b/ics-attack/relationship/relationship--d5289c2e-e5c4-443d-94ec-ce9a44992065.json index 8d7e94d637..ab723135a2 100644 --- a/ics-attack/relationship/relationship--d5289c2e-e5c4-443d-94ec-ce9a44992065.json +++ b/ics-attack/relationship/relationship--d5289c2e-e5c4-443d-94ec-ce9a44992065.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f56ad321-6068-4058-979c-fd76d1605890", + "id": "bundle--dabc1649-6d0c-4ad9-9d98-a06e99b7e8db", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--d5289c2e-e5c4-443d-94ec-ce9a44992065", "created": "2025-09-24T17:56:06.321Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--ab5c9a38-3140-43b6-bcf4-6197a116cd0b.json b/ics-attack/relationship/relationship--d55057c5-988d-4f66-bfba-650c49259d01.json similarity index 71% rename from ics-attack/relationship/relationship--ab5c9a38-3140-43b6-bcf4-6197a116cd0b.json rename to ics-attack/relationship/relationship--d55057c5-988d-4f66-bfba-650c49259d01.json index 462505ae9e..e130171457 100644 --- a/ics-attack/relationship/relationship--ab5c9a38-3140-43b6-bcf4-6197a116cd0b.json +++ b/ics-attack/relationship/relationship--d55057c5-988d-4f66-bfba-650c49259d01.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--a7e898ac-8dc0-48e7-ab06-ef24026c6f06", + "id": "bundle--748b1a51-00ef-4693-83ff-6fc20c786910", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--ab5c9a38-3140-43b6-bcf4-6197a116cd0b", + "id": "relationship--d55057c5-988d-4f66-bfba-650c49259d01", "created": "2023-09-29T17:37:50.048Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:06.042Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d58d8b19-90bc-4a7f-840d-076be296ff20.json b/ics-attack/relationship/relationship--d58d8b19-90bc-4a7f-840d-076be296ff20.json index c635016c9a..d2a3dcb468 100644 --- a/ics-attack/relationship/relationship--d58d8b19-90bc-4a7f-840d-076be296ff20.json +++ b/ics-attack/relationship/relationship--d58d8b19-90bc-4a7f-840d-076be296ff20.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9f850449-6ec1-491e-ae78-0736670d12ba", + "id": "bundle--fdc7dd65-08f4-4b00-b7b8-e48fd5a651cc", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--d58d8b19-90bc-4a7f-840d-076be296ff20", "created": "2023-09-29T17:09:01.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:55.324Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", diff --git a/ics-attack/relationship/relationship--d5b532fe-3df9-4f92-a0f0-9c92823cdb6a.json b/ics-attack/relationship/relationship--d5b532fe-3df9-4f92-a0f0-9c92823cdb6a.json index d5ba4925ff..ee89f6576f 100644 --- a/ics-attack/relationship/relationship--d5b532fe-3df9-4f92-a0f0-9c92823cdb6a.json +++ b/ics-attack/relationship/relationship--d5b532fe-3df9-4f92-a0f0-9c92823cdb6a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2eb2f0ef-bd5c-4115-b637-9530eada4bc8", + "id": "bundle--1563148b-2fec-4af5-ae89-3e287c6c8f87", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--d5b532fe-3df9-4f92-a0f0-9c92823cdb6a", "created": "2023-09-28T19:43:49.584Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:55.515Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--d5e908f9-eea1-4e55-a406-f24c5dc74b2d.json b/ics-attack/relationship/relationship--d5e908f9-eea1-4e55-a406-f24c5dc74b2d.json index cc98d29c78..115ac98b3e 100644 --- a/ics-attack/relationship/relationship--d5e908f9-eea1-4e55-a406-f24c5dc74b2d.json +++ b/ics-attack/relationship/relationship--d5e908f9-eea1-4e55-a406-f24c5dc74b2d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--45cd198f-3919-4cee-bf0d-d48dba3fea3d", + "id": "bundle--4185bbc0-0105-4273-bb17-4c7317fc5210", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--d5e908f9-eea1-4e55-a406-f24c5dc74b2d", "created": "2023-09-29T17:38:17.313Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:55.721Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--d611b750-95e5-4f73-8f16-38db0a34a2e0.json b/ics-attack/relationship/relationship--d611b750-95e5-4f73-8f16-38db0a34a2e0.json index 117c5d2095..7afea85483 100644 --- a/ics-attack/relationship/relationship--d611b750-95e5-4f73-8f16-38db0a34a2e0.json +++ b/ics-attack/relationship/relationship--d611b750-95e5-4f73-8f16-38db0a34a2e0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--81aaddd1-6fe8-431a-82a2-36ae12d0407b", + "id": "bundle--305dfbf2-a214-44fd-bd72-b6cdc3be76ec", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--d611b750-95e5-4f73-8f16-38db0a34a2e0", "created": "2023-09-29T17:08:23.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:55.928Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", diff --git a/ics-attack/relationship/relationship--d65646f0-f90c-4415-bbde-cce61f13898f.json b/ics-attack/relationship/relationship--d65646f0-f90c-4415-bbde-cce61f13898f.json new file mode 100644 index 0000000000..6d0cac1d78 --- /dev/null +++ b/ics-attack/relationship/relationship--d65646f0-f90c-4415-bbde-cce61f13898f.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--375f4724-98c7-40e9-9170-fb9d8d9b9eb4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d65646f0-f90c-4415-bbde-cce61f13898f", + "created": "2026-04-22T22:46:53.310Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:46:53.310Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d67ae959-9014-4501-b963-42bee03a5e3b.json b/ics-attack/relationship/relationship--d67ae959-9014-4501-b963-42bee03a5e3b.json index a5240cbcf2..9cae701575 100644 --- a/ics-attack/relationship/relationship--d67ae959-9014-4501-b963-42bee03a5e3b.json +++ b/ics-attack/relationship/relationship--d67ae959-9014-4501-b963-42bee03a5e3b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--83167366-6141-4fe8-9685-96ea60ed65a7", + "id": "bundle--51aee852-e71b-474e-a1c0-e7c5a7de90ad", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--d67ae959-9014-4501-b963-42bee03a5e3b", "created": "2024-03-25T20:09:34.908Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Jamie Tarabay and Katrina Manson December 2023", diff --git a/ics-attack/relationship/relationship--d67feaac-73ac-47b1-91ec-f537105afc58.json b/ics-attack/relationship/relationship--d67feaac-73ac-47b1-91ec-f537105afc58.json new file mode 100644 index 0000000000..6ea70cbe85 --- /dev/null +++ b/ics-attack/relationship/relationship--d67feaac-73ac-47b1-91ec-f537105afc58.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--e94b4dc9-5fe6-473e-8970-335eb72eaf1f", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d67feaac-73ac-47b1-91ec-f537105afc58", + "created": "2026-04-22T17:51:33.089Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T19:38:07.805Z", + "description": "When at rest, project files should be encrypted to prevent unauthorized changes.(Citation: National Institute of Standards and Technology April 2013)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "target_ref": "attack-pattern--354ca909-b54d-4c41-b597-9c296b344a43", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a.json b/ics-attack/relationship/relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a.json index a904bf82bb..02cbe0a6ad 100644 --- a/ics-attack/relationship/relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a.json +++ b/ics-attack/relationship/relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c14036bc-61f6-4e8c-bfe3-da5211f56f20", + "id": "bundle--bc8f33da-99ff-41f4-94c6-5e54cd7f05fa", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d717cc26-2fab-42cd-a67f-7079b1ce8f15.json b/ics-attack/relationship/relationship--d717cc26-2fab-42cd-a67f-7079b1ce8f15.json index 5a81e3f596..4f5caa09bd 100644 --- a/ics-attack/relationship/relationship--d717cc26-2fab-42cd-a67f-7079b1ce8f15.json +++ b/ics-attack/relationship/relationship--d717cc26-2fab-42cd-a67f-7079b1ce8f15.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e439a6f1-d4b7-407a-8222-7a40c7f73ecf", + "id": "bundle--b4b3fb9f-27d6-446f-97f5-bf152e5c571e", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--d717cc26-2fab-42cd-a67f-7079b1ce8f15", "created": "2025-09-24T18:18:58.353Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--d72458b4-b72b-4f0b-96da-eb3d9c6ef9a2.json b/ics-attack/relationship/relationship--d72458b4-b72b-4f0b-96da-eb3d9c6ef9a2.json new file mode 100644 index 0000000000..adbc362008 --- /dev/null +++ b/ics-attack/relationship/relationship--d72458b4-b72b-4f0b-96da-eb3d9c6ef9a2.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--fd9845cd-ab6c-4296-b5c8-0b124caddbb9", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d72458b4-b72b-4f0b-96da-eb3d9c6ef9a2", + "created": "2026-04-22T20:39:30.233Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:39:30.233Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d72e7d01-56be-4fbd-8957-3384533ba83b.json b/ics-attack/relationship/relationship--d72e7d01-56be-4fbd-8957-3384533ba83b.json index 919c412044..3eba53b6c8 100644 --- a/ics-attack/relationship/relationship--d72e7d01-56be-4fbd-8957-3384533ba83b.json +++ b/ics-attack/relationship/relationship--d72e7d01-56be-4fbd-8957-3384533ba83b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d0a9ec48-902a-4ee1-ab53-581265fb2c96", + "id": "bundle--9f13aff6-644c-40b6-bce4-ebe3ff8ef43d", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--d72e7d01-56be-4fbd-8957-3384533ba83b", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Jos Wetzels January 2018", diff --git a/ics-attack/relationship/relationship--d775a6ed-4a60-41f4-ac06-da86c27cd1de.json b/ics-attack/relationship/relationship--d775a6ed-4a60-41f4-ac06-da86c27cd1de.json index b73669136d..4c5c83200f 100644 --- a/ics-attack/relationship/relationship--d775a6ed-4a60-41f4-ac06-da86c27cd1de.json +++ b/ics-attack/relationship/relationship--d775a6ed-4a60-41f4-ac06-da86c27cd1de.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--24c11e9a-c314-471c-8ce0-09d5ce02df1a", + "id": "bundle--a582adc1-634a-4e23-b7e9-02c31ca98d82", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--d775a6ed-4a60-41f4-ac06-da86c27cd1de", "created": "2023-09-29T18:48:41.176Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:57.155Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--d7ab9f93-163e-4000-9573-674a7e4de44c.json b/ics-attack/relationship/relationship--d7ab9f93-163e-4000-9573-674a7e4de44c.json new file mode 100644 index 0000000000..0f91225dd9 --- /dev/null +++ b/ics-attack/relationship/relationship--d7ab9f93-163e-4000-9573-674a7e4de44c.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--2a5d844f-2e4c-45ff-843d-84b1f84e37f7", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d7ab9f93-163e-4000-9573-674a7e4de44c", + "created": "2026-04-22T20:26:01.557Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:26:01.557Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d7b07d40-fbdb-41e9-b610-57de10fa41e5.json b/ics-attack/relationship/relationship--d7b07d40-fbdb-41e9-b610-57de10fa41e5.json index 28a807478b..d5b12334c3 100644 --- a/ics-attack/relationship/relationship--d7b07d40-fbdb-41e9-b610-57de10fa41e5.json +++ b/ics-attack/relationship/relationship--d7b07d40-fbdb-41e9-b610-57de10fa41e5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--86f3d834-2065-4381-8a4a-015409c265f3", + "id": "bundle--2a721e8e-10b2-405e-9bcc-f537ebb615cc", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--d7b07d40-fbdb-41e9-b610-57de10fa41e5", "created": "2023-09-28T20:29:50.745Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:57.388Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--d7ea83fa-87c7-4d36-96d5-aee554504040.json b/ics-attack/relationship/relationship--d7ea83fa-87c7-4d36-96d5-aee554504040.json index 4234f25186..3a66c99fbc 100644 --- a/ics-attack/relationship/relationship--d7ea83fa-87c7-4d36-96d5-aee554504040.json +++ b/ics-attack/relationship/relationship--d7ea83fa-87c7-4d36-96d5-aee554504040.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e028deea-a550-4953-91f6-bdb73a569a0f", + "id": "bundle--6bdde526-06bd-4643-b358-ed321b62cf6d", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--d7ea83fa-87c7-4d36-96d5-aee554504040", "created": "2017-05-31T21:33:27.074Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "ESET Bad Rabbit", diff --git a/ics-attack/relationship/relationship--d80c615e-addc-49c8-a2b9-991e24678d86.json b/ics-attack/relationship/relationship--d80c615e-addc-49c8-a2b9-991e24678d86.json index 3143f0ab3b..4edb220e4b 100644 --- a/ics-attack/relationship/relationship--d80c615e-addc-49c8-a2b9-991e24678d86.json +++ b/ics-attack/relationship/relationship--d80c615e-addc-49c8-a2b9-991e24678d86.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c097f8e2-6ee9-43fe-afcb-442e109d8896", + "id": "bundle--feb29a45-5348-4b17-a14d-870c33229a72", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--6d2ba563-0aa9-4f64-a14d-da62b694b495", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", diff --git a/ics-attack/relationship/relationship--d80f9deb-ba2a-4a07-aa23-81c423cf4a18.json b/ics-attack/relationship/relationship--d80f9deb-ba2a-4a07-aa23-81c423cf4a18.json index 423e65edff..8e09eee74c 100644 --- a/ics-attack/relationship/relationship--d80f9deb-ba2a-4a07-aa23-81c423cf4a18.json +++ b/ics-attack/relationship/relationship--d80f9deb-ba2a-4a07-aa23-81c423cf4a18.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b9ab7724-4c78-4c2f-8772-7c5c76dd0ede", + "id": "bundle--f1c13dd1-5590-4245-8927-f6b19c5980a9", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--d80f9deb-ba2a-4a07-aa23-81c423cf4a18", "created": "2023-09-29T16:46:01.992Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:57.843Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--d8354850-bd4c-4bd9-a585-b107f5f1398f.json b/ics-attack/relationship/relationship--d8354850-bd4c-4bd9-a585-b107f5f1398f.json index 24a6caef40..c813b5651e 100644 --- a/ics-attack/relationship/relationship--d8354850-bd4c-4bd9-a585-b107f5f1398f.json +++ b/ics-attack/relationship/relationship--d8354850-bd4c-4bd9-a585-b107f5f1398f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--13c232ef-c1a4-43a3-a681-a65425b09e79", + "id": "bundle--d1733a05-f456-44e8-b275-bca8c7e761a9", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--d8354850-bd4c-4bd9-a585-b107f5f1398f", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017", diff --git a/ics-attack/relationship/relationship--d854cc38-adf7-485d-96b5-70606f6cb87e.json b/ics-attack/relationship/relationship--d854cc38-adf7-485d-96b5-70606f6cb87e.json index 4892b6afa4..b14c4991fd 100644 --- a/ics-attack/relationship/relationship--d854cc38-adf7-485d-96b5-70606f6cb87e.json +++ b/ics-attack/relationship/relationship--d854cc38-adf7-485d-96b5-70606f6cb87e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d8a8dd99-6fc6-40bc-bb3a-26f535805c48", + "id": "bundle--cc4578cc-d42d-4bd6-8000-550ddeba8395", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--d854cc38-adf7-485d-96b5-70606f6cb87e", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--d8911566-f622-4a01-b765-514dbbfd8201.json b/ics-attack/relationship/relationship--d8911566-f622-4a01-b765-514dbbfd8201.json index cbedd71d8f..f6cef9eaac 100644 --- a/ics-attack/relationship/relationship--d8911566-f622-4a01-b765-514dbbfd8201.json +++ b/ics-attack/relationship/relationship--d8911566-f622-4a01-b765-514dbbfd8201.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8ab75273-c893-45ce-972e-eb84b7d84b23", + "id": "bundle--fefceba2-b6f6-4b2d-84aa-469fa035a6ef", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--d8911566-f622-4a01-b765-514dbbfd8201", "created": "2022-09-28T20:27:01.345Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Wylie-22", diff --git a/ics-attack/relationship/relationship--d89d9778-4695-4c97-bf6d-1d0fbabb41fa.json b/ics-attack/relationship/relationship--d89d9778-4695-4c97-bf6d-1d0fbabb41fa.json index 9226f463af..34f8093621 100644 --- a/ics-attack/relationship/relationship--d89d9778-4695-4c97-bf6d-1d0fbabb41fa.json +++ b/ics-attack/relationship/relationship--d89d9778-4695-4c97-bf6d-1d0fbabb41fa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--305e17b3-1238-4c11-8f6a-2a60c6f00066", + "id": "bundle--65a95a71-3aba-48d0-ac2c-6dccbab92cde", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--d89d9778-4695-4c97-bf6d-1d0fbabb41fa", "created": "2023-09-28T21:14:51.778Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:58.678Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--d8f45959-e0fc-4b4f-a074-a3acea926300.json b/ics-attack/relationship/relationship--d8f45959-e0fc-4b4f-a074-a3acea926300.json index 1801bcda7b..3754e29f63 100644 --- a/ics-attack/relationship/relationship--d8f45959-e0fc-4b4f-a074-a3acea926300.json +++ b/ics-attack/relationship/relationship--d8f45959-e0fc-4b4f-a074-a3acea926300.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--670fe9ff-17dc-4833-a588-5cac917f1f05", + "id": "bundle--9131e333-18c2-4151-946f-23e7cbab8680", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d8f95008-33c9-4572-9916-023d8de449b1.json b/ics-attack/relationship/relationship--d8f95008-33c9-4572-9916-023d8de449b1.json index b604e8ea5e..9454e927ac 100644 --- a/ics-attack/relationship/relationship--d8f95008-33c9-4572-9916-023d8de449b1.json +++ b/ics-attack/relationship/relationship--d8f95008-33c9-4572-9916-023d8de449b1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--911272df-9cf5-4ef4-a31e-4b531122bc40", + "id": "bundle--3b31cf3c-3bed-4e68-9c25-ba28a445780c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--d8f95008-33c9-4572-9916-023d8de449b1", "created": "2023-09-29T18:04:16.785Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:59.116Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--d90aeeb6-3686-483a-8403-6514ecfe1a50.json b/ics-attack/relationship/relationship--d90aeeb6-3686-483a-8403-6514ecfe1a50.json index b2ee7e863e..d4c7d32f4d 100644 --- a/ics-attack/relationship/relationship--d90aeeb6-3686-483a-8403-6514ecfe1a50.json +++ b/ics-attack/relationship/relationship--d90aeeb6-3686-483a-8403-6514ecfe1a50.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d5ff811f-36a3-4889-8eca-aac038dcaea8", + "id": "bundle--bc5caa07-ddc1-4a3d-a538-afd6995f8fcb", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--d90aeeb6-3686-483a-8403-6514ecfe1a50", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "ICS-CERT August 2018", diff --git a/ics-attack/relationship/relationship--d9165ecb-bc10-4189-a7e4-057bdf05bf3f.json b/ics-attack/relationship/relationship--d9165ecb-bc10-4189-a7e4-057bdf05bf3f.json index 85a3d0b8a6..67381a9606 100644 --- a/ics-attack/relationship/relationship--d9165ecb-bc10-4189-a7e4-057bdf05bf3f.json +++ b/ics-attack/relationship/relationship--d9165ecb-bc10-4189-a7e4-057bdf05bf3f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9f766985-7b98-479e-851a-8913ffd11d3d", + "id": "bundle--8697ea23-59dc-485a-863b-76a528f48da8", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--d9165ecb-bc10-4189-a7e4-057bdf05bf3f", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", diff --git a/ics-attack/relationship/relationship--d96788b4-55dd-48df-bb9b-83b33ca24813.json b/ics-attack/relationship/relationship--d96788b4-55dd-48df-bb9b-83b33ca24813.json index aa2618271d..24ea3f5068 100644 --- a/ics-attack/relationship/relationship--d96788b4-55dd-48df-bb9b-83b33ca24813.json +++ b/ics-attack/relationship/relationship--d96788b4-55dd-48df-bb9b-83b33ca24813.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--007a3e9a-466c-4302-bed8-87766e9c6c9e", + "id": "bundle--a4aa5037-2f8c-482c-8017-9ff6d3af17c1", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--d96788b4-55dd-48df-bb9b-83b33ca24813", "created": "2023-09-28T19:55:22.376Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:04:59.970Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--d99a28f4-6536-4d73-9241-497cda9a8878.json b/ics-attack/relationship/relationship--d99a28f4-6536-4d73-9241-497cda9a8878.json index d9da13e317..49d06edd5d 100644 --- a/ics-attack/relationship/relationship--d99a28f4-6536-4d73-9241-497cda9a8878.json +++ b/ics-attack/relationship/relationship--d99a28f4-6536-4d73-9241-497cda9a8878.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c0be8f3e-1163-4a2d-ac07-b0bed1098abd", + "id": "bundle--dc3106d9-7d87-4e05-8742-364e9d91fb0f", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--1bae319f-03d8-49c9-8bb8-e4f27bb69a11", "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", diff --git a/ics-attack/relationship/relationship--99fa6d92-0c41-44ed-bd30-dd0413785883.json b/ics-attack/relationship/relationship--d99fecbc-a7ea-4430-b933-afd239c4555b.json similarity index 71% rename from ics-attack/relationship/relationship--99fa6d92-0c41-44ed-bd30-dd0413785883.json rename to ics-attack/relationship/relationship--d99fecbc-a7ea-4430-b933-afd239c4555b.json index b5e9024c70..f080ff5b11 100644 --- a/ics-attack/relationship/relationship--99fa6d92-0c41-44ed-bd30-dd0413785883.json +++ b/ics-attack/relationship/relationship--d99fecbc-a7ea-4430-b933-afd239c4555b.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--dacc34e0-8109-487a-a33f-f18f61ee7de9", + "id": "bundle--4f3eb0c5-72d6-45d3-ac7c-5ff5074b8892", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--99fa6d92-0c41-44ed-bd30-dd0413785883", + "id": "relationship--d99fecbc-a7ea-4430-b933-afd239c4555b", "created": "2023-09-29T18:43:23.321Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:47.537Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--15cf990b-ee67-4f86-a06b-20691274568a.json b/ics-attack/relationship/relationship--d9a351b5-1d77-4f16-a191-1a8992c5bb5b.json similarity index 78% rename from ics-attack/relationship/relationship--15cf990b-ee67-4f86-a06b-20691274568a.json rename to ics-attack/relationship/relationship--d9a351b5-1d77-4f16-a191-1a8992c5bb5b.json index d708a2ad81..1f2a4121a6 100644 --- a/ics-attack/relationship/relationship--15cf990b-ee67-4f86-a06b-20691274568a.json +++ b/ics-attack/relationship/relationship--d9a351b5-1d77-4f16-a191-1a8992c5bb5b.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--ffe45a1a-ec3a-42ce-8d24-dac11b36109a", + "id": "bundle--dc8394fa-3b76-4662-9b25-c51b16a73f17", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--15cf990b-ee67-4f86-a06b-20691274568a", + "id": "relationship--d9a351b5-1d77-4f16-a191-1a8992c5bb5b", "created": "2025-09-24T17:57:31.366Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -14,7 +14,7 @@ ], "modified": "2025-09-24T17:57:31.366Z", "relationship_type": "targets", - "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "source_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "target_ref": "x-mitre-asset--bb553fda-8355-40bc-87c6-5ae25124fa95", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, diff --git a/ics-attack/relationship/relationship--d9de58a6-58fd-499c-ba7d-588239297179.json b/ics-attack/relationship/relationship--d9de58a6-58fd-499c-ba7d-588239297179.json index c097366355..ff5292b54c 100644 --- a/ics-attack/relationship/relationship--d9de58a6-58fd-499c-ba7d-588239297179.json +++ b/ics-attack/relationship/relationship--d9de58a6-58fd-499c-ba7d-588239297179.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--51848bd6-11cf-4ae0-839f-80dd732465ec", + "id": "bundle--9faa0d11-5e30-4534-86dd-6cf189149b66", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--d9de58a6-58fd-499c-ba7d-588239297179", "created": "2023-09-29T16:42:31.464Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:00.181Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--d9fa7d68-a07c-4cf0-bb01-14e2c70c21d5.json b/ics-attack/relationship/relationship--d9fa7d68-a07c-4cf0-bb01-14e2c70c21d5.json index 68a5b1e9e2..e95b8097bf 100644 --- a/ics-attack/relationship/relationship--d9fa7d68-a07c-4cf0-bb01-14e2c70c21d5.json +++ b/ics-attack/relationship/relationship--d9fa7d68-a07c-4cf0-bb01-14e2c70c21d5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fb1b2398-eb43-4e8f-afdc-0a3c8b4ff38c", + "id": "bundle--877c1d2f-5e2a-4e0f-930a-f7a53a8c3046", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--d9fa7d68-a07c-4cf0-bb01-14e2c70c21d5", "created": "2023-09-28T19:51:11.687Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:00.416Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--da144dd2-c949-4a7f-8c8d-0cb27c52196a.json b/ics-attack/relationship/relationship--da144dd2-c949-4a7f-8c8d-0cb27c52196a.json index 4059c852d9..4ed2dbad3c 100644 --- a/ics-attack/relationship/relationship--da144dd2-c949-4a7f-8c8d-0cb27c52196a.json +++ b/ics-attack/relationship/relationship--da144dd2-c949-4a7f-8c8d-0cb27c52196a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4f98ad3b-6812-4904-bb9e-0997f5a7c326", + "id": "bundle--b5e77e1d-a489-4ea0-8e6c-fc07f391fec9", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--da144dd2-c949-4a7f-8c8d-0cb27c52196a", "created": "2023-09-29T16:42:53.226Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:00.613Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--da246386-12c6-4d7e-adc2-f3148686d6c1.json b/ics-attack/relationship/relationship--da246386-12c6-4d7e-adc2-f3148686d6c1.json index ad08efbb03..9fd484029f 100644 --- a/ics-attack/relationship/relationship--da246386-12c6-4d7e-adc2-f3148686d6c1.json +++ b/ics-attack/relationship/relationship--da246386-12c6-4d7e-adc2-f3148686d6c1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0cbf61ed-1cb4-474c-87ef-6db3e5d0ef2b", + "id": "bundle--588594a4-3d3d-4203-81d1-4918553e9e45", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--da246386-12c6-4d7e-adc2-f3148686d6c1", "created": "2025-09-29T22:06:02.769Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--9fb8c8ab-67de-42df-a82d-b6e45b82d949.json b/ics-attack/relationship/relationship--da38a045-d29a-4c08-9951-c8e520229584.json similarity index 85% rename from ics-attack/relationship/relationship--9fb8c8ab-67de-42df-a82d-b6e45b82d949.json rename to ics-attack/relationship/relationship--da38a045-d29a-4c08-9951-c8e520229584.json index cb129df05d..db787ea080 100644 --- a/ics-attack/relationship/relationship--9fb8c8ab-67de-42df-a82d-b6e45b82d949.json +++ b/ics-attack/relationship/relationship--da38a045-d29a-4c08-9951-c8e520229584.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--5702bda6-6185-480e-ad50-3c5be4e9b9ca", + "id": "bundle--22ff1d0a-1562-4829-90b1-0978df6c2971", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--9fb8c8ab-67de-42df-a82d-b6e45b82d949", + "id": "relationship--da38a045-d29a-4c08-9951-c8e520229584", "created": "2023-09-27T14:48:40.533Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -23,10 +23,10 @@ "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked reporting messages by using malicious firmware to render serial-to-ethernet converters inoperable. (Citation: Ukraine15 - EISAC - 201603)", "relationship_type": "uses", "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "target_ref": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--da6aa4ab-039e-40fc-8188-8006ccd2ea8c.json b/ics-attack/relationship/relationship--da6aa4ab-039e-40fc-8188-8006ccd2ea8c.json new file mode 100644 index 0000000000..ee1853dfe1 --- /dev/null +++ b/ics-attack/relationship/relationship--da6aa4ab-039e-40fc-8188-8006ccd2ea8c.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--a5020dfe-748b-4a1e-81d9-c930774892ca", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--da6aa4ab-039e-40fc-8188-8006ccd2ea8c", + "created": "2026-04-22T13:27:55.225Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T13:27:55.225Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--da771d72-c778-4c9a-acb4-01b5fc3d36c0.json b/ics-attack/relationship/relationship--da771d72-c778-4c9a-acb4-01b5fc3d36c0.json index 5e1c2d68dc..c2e992e76b 100644 --- a/ics-attack/relationship/relationship--da771d72-c778-4c9a-acb4-01b5fc3d36c0.json +++ b/ics-attack/relationship/relationship--da771d72-c778-4c9a-acb4-01b5fc3d36c0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b31be5ec-4669-4c16-8b4d-aff4c8e46de7", + "id": "bundle--ece3c465-f1a3-451e-97e1-39446abc152e", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--da771d72-c778-4c9a-acb4-01b5fc3d36c0", "created": "2023-09-29T18:06:57.332Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:00.816Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--da987131-bf37-4730-9914-323879d2b5c3.json b/ics-attack/relationship/relationship--da987131-bf37-4730-9914-323879d2b5c3.json index 511aa13c6b..db1d95d456 100644 --- a/ics-attack/relationship/relationship--da987131-bf37-4730-9914-323879d2b5c3.json +++ b/ics-attack/relationship/relationship--da987131-bf37-4730-9914-323879d2b5c3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6a16d5ff-5eba-4967-9546-e214d51d13c3", + "id": "bundle--6cf06f38-3c36-449b-b781-864b94ca45de", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--da987131-bf37-4730-9914-323879d2b5c3", "created": "2023-09-28T20:34:11.025Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:01.013Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--dac96d76-b9b8-4278-9f5b-62f4992e2ac8.json b/ics-attack/relationship/relationship--dac96d76-b9b8-4278-9f5b-62f4992e2ac8.json index c9b82303b8..a0149192ba 100644 --- a/ics-attack/relationship/relationship--dac96d76-b9b8-4278-9f5b-62f4992e2ac8.json +++ b/ics-attack/relationship/relationship--dac96d76-b9b8-4278-9f5b-62f4992e2ac8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eaf1f623-efb2-46e9-ad6f-7c6f5fc6ecb3", + "id": "bundle--aef1526b-7bec-4a13-9423-d506f7b8a523", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--dac96d76-b9b8-4278-9f5b-62f4992e2ac8", "created": "2023-09-28T19:44:22.801Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:01.207Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--dae4ef38-bd41-45e0-b780-ea9d411386d3.json b/ics-attack/relationship/relationship--dae4ef38-bd41-45e0-b780-ea9d411386d3.json index a173dc67fb..a438ca992d 100644 --- a/ics-attack/relationship/relationship--dae4ef38-bd41-45e0-b780-ea9d411386d3.json +++ b/ics-attack/relationship/relationship--dae4ef38-bd41-45e0-b780-ea9d411386d3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8cf77074-b8bf-47b8-812f-96415c911544", + "id": "bundle--d0f35bb9-0f53-48bb-b9a6-75198d3de837", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--e8b537e6-04eb-4168-a206-88cc041edf50", "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", diff --git a/ics-attack/relationship/relationship--db46e84f-435e-4022-b484-e6d2e253660c.json b/ics-attack/relationship/relationship--db46e84f-435e-4022-b484-e6d2e253660c.json index f2b5391dd6..add5f41763 100644 --- a/ics-attack/relationship/relationship--db46e84f-435e-4022-b484-e6d2e253660c.json +++ b/ics-attack/relationship/relationship--db46e84f-435e-4022-b484-e6d2e253660c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f3abaa88-58e5-494d-8b3c-6d24462fad91", + "id": "bundle--9e42242e-732d-470e-92f9-3617bc259e20", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--db46e84f-435e-4022-b484-e6d2e253660c", "created": "2023-09-29T18:06:13.468Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:01.600Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--db5e5a2a-dc41-4f04-910e-ab4dfccd1e0d.json b/ics-attack/relationship/relationship--db5e5a2a-dc41-4f04-910e-ab4dfccd1e0d.json new file mode 100644 index 0000000000..97eef81bb6 --- /dev/null +++ b/ics-attack/relationship/relationship--db5e5a2a-dc41-4f04-910e-ab4dfccd1e0d.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--18f6cde1-3e57-4558-8aa2-ee558ad1fead", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--db5e5a2a-dc41-4f04-910e-ab4dfccd1e0d", + "created": "2026-04-22T18:59:44.658Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T18:59:44.658Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--dbcc492c-782e-4418-8373-dbc7a76498b0.json b/ics-attack/relationship/relationship--dbcc492c-782e-4418-8373-dbc7a76498b0.json index 8f99ec0fea..ee1cdb098d 100644 --- a/ics-attack/relationship/relationship--dbcc492c-782e-4418-8373-dbc7a76498b0.json +++ b/ics-attack/relationship/relationship--dbcc492c-782e-4418-8373-dbc7a76498b0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--39a982cc-0a82-43eb-959d-55ba9c19c561", + "id": "bundle--b3d11c8c-7961-4c4d-98e4-0e7be6193d03", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--dbcc492c-782e-4418-8373-dbc7a76498b0", "created": "2023-09-29T17:45:35.293Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:02.024Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--dbdd9a97-81df-40b8-b72d-ac67d121b8b3.json b/ics-attack/relationship/relationship--dbdd9a97-81df-40b8-b72d-ac67d121b8b3.json index 11a2cab6b0..7680f88ac8 100644 --- a/ics-attack/relationship/relationship--dbdd9a97-81df-40b8-b72d-ac67d121b8b3.json +++ b/ics-attack/relationship/relationship--dbdd9a97-81df-40b8-b72d-ac67d121b8b3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--abd20951-b77d-4b2a-af27-add2ca22958f", + "id": "bundle--672fe4a2-6f86-448a-aea1-4c8d686b2508", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--dc35c44a-a90c-48a1-8811-af2618216e42.json b/ics-attack/relationship/relationship--dc35c44a-a90c-48a1-8811-af2618216e42.json index fede2b8dfa..d54a762433 100644 --- a/ics-attack/relationship/relationship--dc35c44a-a90c-48a1-8811-af2618216e42.json +++ b/ics-attack/relationship/relationship--dc35c44a-a90c-48a1-8811-af2618216e42.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--aca7a486-133c-4b79-9633-77f222ae3f49", + "id": "bundle--098dab8a-f946-46f5-88fc-c93f8cc71f5b", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--dc35c44a-a90c-48a1-8811-af2618216e42", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--dc5736b5-b906-41e9-b772-53d92b1aa48c.json b/ics-attack/relationship/relationship--dc5736b5-b906-41e9-b772-53d92b1aa48c.json index 92e2037c4f..81acf0f3c2 100644 --- a/ics-attack/relationship/relationship--dc5736b5-b906-41e9-b772-53d92b1aa48c.json +++ b/ics-attack/relationship/relationship--dc5736b5-b906-41e9-b772-53d92b1aa48c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f9847f55-8859-4d0d-8417-1147e7f2911e", + "id": "bundle--900fe75f-9a41-49f9-955b-9017435350f3", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--dc5736b5-b906-41e9-b772-53d92b1aa48c", "created": "2025-09-24T18:04:59.096Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--dd164aa3-1bec-4d3b-afb4-25f0e3a29f9f.json b/ics-attack/relationship/relationship--dd164aa3-1bec-4d3b-afb4-25f0e3a29f9f.json new file mode 100644 index 0000000000..a24d05256e --- /dev/null +++ b/ics-attack/relationship/relationship--dd164aa3-1bec-4d3b-afb4-25f0e3a29f9f.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--3c132c73-50f0-4573-af15-69529baba111", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--dd164aa3-1bec-4d3b-afb4-25f0e3a29f9f", + "created": "2026-04-20T20:58:41.108Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:58:41.108Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--dd350208-e49c-412f-b249-f09d8203f1eb.json b/ics-attack/relationship/relationship--dd350208-e49c-412f-b249-f09d8203f1eb.json index b5b32cb5e3..671806b6ad 100644 --- a/ics-attack/relationship/relationship--dd350208-e49c-412f-b249-f09d8203f1eb.json +++ b/ics-attack/relationship/relationship--dd350208-e49c-412f-b249-f09d8203f1eb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a1328b0a-2e44-4c84-8a9e-606c4179347c", + "id": "bundle--8b1a44be-7bfa-4228-95c0-907a7a7e7fe3", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--3a772c6d-fda2-404a-86aa-85a0bdbb43e9", "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", diff --git a/ics-attack/relationship/relationship--dda89758-9d0b-446d-b594-85acc7f9cb90.json b/ics-attack/relationship/relationship--dda89758-9d0b-446d-b594-85acc7f9cb90.json index b12334452f..dcc731bc67 100644 --- a/ics-attack/relationship/relationship--dda89758-9d0b-446d-b594-85acc7f9cb90.json +++ b/ics-attack/relationship/relationship--dda89758-9d0b-446d-b594-85acc7f9cb90.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d9951b64-db3a-40e9-8f9a-96887145124d", + "id": "bundle--405e5c8e-3bcf-442a-89ab-02072a058515", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--dda89758-9d0b-446d-b594-85acc7f9cb90", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Department of Homeland Security October 2009", diff --git a/ics-attack/relationship/relationship--dded2d68-35c7-42c4-af10-efe7731673e3.json b/ics-attack/relationship/relationship--dded2d68-35c7-42c4-af10-efe7731673e3.json index 184cf9ffca..e526b1746c 100644 --- a/ics-attack/relationship/relationship--dded2d68-35c7-42c4-af10-efe7731673e3.json +++ b/ics-attack/relationship/relationship--dded2d68-35c7-42c4-af10-efe7731673e3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3687100e-a906-4388-940c-130bc5428eed", + "id": "bundle--4b0cf2f1-bdc6-49cd-857a-3d5acdfc8f2d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--de370506-01db-412f-a6fb-57c4014de788.json b/ics-attack/relationship/relationship--de370506-01db-412f-a6fb-57c4014de788.json new file mode 100644 index 0000000000..2c321df0c4 --- /dev/null +++ b/ics-attack/relationship/relationship--de370506-01db-412f-a6fb-57c4014de788.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--a5ae27cd-1d5d-42e4-8123-75e9acd659bb", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--de370506-01db-412f-a6fb-57c4014de788", + "created": "2026-04-23T00:38:54.094Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:32:39.523Z", + "description": "Utilize code signatures to verify the integrity and authenticity of programs downloaded to the device.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--de6a1c7c-8d90-4f5c-8618-7c7ea9a2da89.json b/ics-attack/relationship/relationship--de6a1c7c-8d90-4f5c-8618-7c7ea9a2da89.json new file mode 100644 index 0000000000..527d22c438 --- /dev/null +++ b/ics-attack/relationship/relationship--de6a1c7c-8d90-4f5c-8618-7c7ea9a2da89.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--055c74bf-0185-4a9d-8519-07100b977005", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--de6a1c7c-8d90-4f5c-8618-7c7ea9a2da89", + "created": "2026-04-22T16:02:26.676Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:49:23.881Z", + "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--de973619-e66f-4cb8-92fc-0d5fe85214fa.json b/ics-attack/relationship/relationship--de973619-e66f-4cb8-92fc-0d5fe85214fa.json new file mode 100644 index 0000000000..d356404d0f --- /dev/null +++ b/ics-attack/relationship/relationship--de973619-e66f-4cb8-92fc-0d5fe85214fa.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--cea5e9ad-4d9a-45a8-b0f7-d930df6d02e6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--de973619-e66f-4cb8-92fc-0d5fe85214fa", + "created": "2026-04-23T01:11:19.464Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T01:11:19.464Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used `arp` to conduct remote system discovery activities.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--dead5325-7efe-4dcc-bf78-42b9190f74da.json b/ics-attack/relationship/relationship--dead5325-7efe-4dcc-bf78-42b9190f74da.json index e50b463191..9885b699b0 100644 --- a/ics-attack/relationship/relationship--dead5325-7efe-4dcc-bf78-42b9190f74da.json +++ b/ics-attack/relationship/relationship--dead5325-7efe-4dcc-bf78-42b9190f74da.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eea0ab5f-7b74-4696-aebf-42f618201279", + "id": "bundle--2b41d78c-0546-4632-9ca7-16327d0387e8", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--dead5325-7efe-4dcc-bf78-42b9190f74da", "created": "2023-09-29T16:46:40.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:03.868Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--deb83319-bc5a-4b9b-a44a-bd369b899601.json b/ics-attack/relationship/relationship--deb83319-bc5a-4b9b-a44a-bd369b899601.json index 451a99a959..14484468f3 100644 --- a/ics-attack/relationship/relationship--deb83319-bc5a-4b9b-a44a-bd369b899601.json +++ b/ics-attack/relationship/relationship--deb83319-bc5a-4b9b-a44a-bd369b899601.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fb2c346e-bc05-4866-9e95-e59185a50126", + "id": "bundle--39913796-b2e4-4788-9441-db5ff648de63", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--deb83319-bc5a-4b9b-a44a-bd369b899601", "created": "2024-03-25T20:18:12.056Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:04.076Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1c5cf58c-a34a-40d7-82f4-f987cdfc2b91", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--def57041-6bb4-453a-bf04-188b9e97a35d.json b/ics-attack/relationship/relationship--def57041-6bb4-453a-bf04-188b9e97a35d.json index 304e768e96..5da36e5026 100644 --- a/ics-attack/relationship/relationship--def57041-6bb4-453a-bf04-188b9e97a35d.json +++ b/ics-attack/relationship/relationship--def57041-6bb4-453a-bf04-188b9e97a35d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--30086828-8a85-4aa2-a448-d6c53de4ef3c", + "id": "bundle--6eebc37e-e4bc-455a-8105-3fdd4a6861ee", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--def57041-6bb4-453a-bf04-188b9e97a35d", "created": "2023-09-28T21:26:34.603Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:04.312Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--df321d74-25d6-42da-80e8-3c9a291cb471.json b/ics-attack/relationship/relationship--df321d74-25d6-42da-80e8-3c9a291cb471.json index 06b212de7a..8f4e883932 100644 --- a/ics-attack/relationship/relationship--df321d74-25d6-42da-80e8-3c9a291cb471.json +++ b/ics-attack/relationship/relationship--df321d74-25d6-42da-80e8-3c9a291cb471.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--94a041e5-79a6-49d2-8e31-c2694e71d8c2", + "id": "bundle--ded1a09a-3144-488b-b8e8-9d8e618cae73", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--df321d74-25d6-42da-80e8-3c9a291cb471", "created": "2023-09-28T19:57:41.602Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:04.505Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--df67d728-289e-4d04-9635-d018c0764ce9.json b/ics-attack/relationship/relationship--df67d728-289e-4d04-9635-d018c0764ce9.json new file mode 100644 index 0000000000..95651c7003 --- /dev/null +++ b/ics-attack/relationship/relationship--df67d728-289e-4d04-9635-d018c0764ce9.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--eeaac376-10ee-4a6f-aca2-dfa8a1df8982", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--df67d728-289e-4d04-9635-d018c0764ce9", + "created": "2026-04-22T21:36:02.911Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:36:02.911Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938.json b/ics-attack/relationship/relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938.json index 22dea58c7b..58f1da7603 100644 --- a/ics-attack/relationship/relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938.json +++ b/ics-attack/relationship/relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--05c0da67-29bc-4d1b-955a-d3f6c0da0d0a", + "id": "bundle--092211ad-93d7-4502-add0-fedd6fbdee5b", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--df7b521e-4496-432f-a61d-3094d0c7bc23.json b/ics-attack/relationship/relationship--df7b521e-4496-432f-a61d-3094d0c7bc23.json index c57f5c2194..8a5cbec4cf 100644 --- a/ics-attack/relationship/relationship--df7b521e-4496-432f-a61d-3094d0c7bc23.json +++ b/ics-attack/relationship/relationship--df7b521e-4496-432f-a61d-3094d0c7bc23.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--027a181f-3b0f-4d59-84d4-ec934dacdf83", + "id": "bundle--15205acc-fb56-4d5b-8576-cca54a7330c8", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--df7b521e-4496-432f-a61d-3094d0c7bc23", "created": "2023-09-29T17:58:26.994Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:04.930Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--df80e2b6-5672-4f26-a19c-a394f3731f24.json b/ics-attack/relationship/relationship--df80e2b6-5672-4f26-a19c-a394f3731f24.json index 63834c0985..86a4314284 100644 --- a/ics-attack/relationship/relationship--df80e2b6-5672-4f26-a19c-a394f3731f24.json +++ b/ics-attack/relationship/relationship--df80e2b6-5672-4f26-a19c-a394f3731f24.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1c34f01f-597c-4624-ba8b-2c09234b07fa", + "id": "bundle--5946aeab-12e1-4035-8967-4a420e2db92c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--df80e2b6-5672-4f26-a19c-a394f3731f24", "created": "2023-09-28T19:48:48.649Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:05.126Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--df88d021-cb8e-482d-9260-445d0a0244ac.json b/ics-attack/relationship/relationship--df88d021-cb8e-482d-9260-445d0a0244ac.json index 541c6b2285..1826a169be 100644 --- a/ics-attack/relationship/relationship--df88d021-cb8e-482d-9260-445d0a0244ac.json +++ b/ics-attack/relationship/relationship--df88d021-cb8e-482d-9260-445d0a0244ac.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--30ae3229-8971-441b-8e0d-96fdde154e92", + "id": "bundle--88409a26-9829-4366-b75c-b504fffc137c", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--df88d021-cb8e-482d-9260-445d0a0244ac", "created": "2024-03-27T19:51:10.097Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Mandiant-Sandworm-Ukraine-2022", diff --git a/ics-attack/relationship/relationship--df9f5a5b-0662-4904-8e57-bc25c244a6da.json b/ics-attack/relationship/relationship--df9f5a5b-0662-4904-8e57-bc25c244a6da.json index c9dc4363d5..72e12b07fd 100644 --- a/ics-attack/relationship/relationship--df9f5a5b-0662-4904-8e57-bc25c244a6da.json +++ b/ics-attack/relationship/relationship--df9f5a5b-0662-4904-8e57-bc25c244a6da.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0ba1b3ac-e02c-4c41-ac2e-a9c3db93476c", + "id": "bundle--c97604c0-3bd0-4f8b-bd42-f9eda68b1cd1", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--df9f5a5b-0662-4904-8e57-bc25c244a6da", "created": "2023-09-28T20:11:11.658Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:05.761Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--dfb20521-91c2-4f55-b92a-dab959759b78.json b/ics-attack/relationship/relationship--dfb20521-91c2-4f55-b92a-dab959759b78.json index e9591ecf8b..f3d4026af6 100644 --- a/ics-attack/relationship/relationship--dfb20521-91c2-4f55-b92a-dab959759b78.json +++ b/ics-attack/relationship/relationship--dfb20521-91c2-4f55-b92a-dab959759b78.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1071d6fc-c490-46bb-b805-fda7ff21d6ad", + "id": "bundle--6742a934-1be2-4cc7-bcdf-e6f87e7300ca", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--dfb20521-91c2-4f55-b92a-dab959759b78", "created": "2023-09-29T18:03:38.874Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:05.955Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--dfc355bd-ee2e-4c80-a61c-0ca700dbc006.json b/ics-attack/relationship/relationship--dfc355bd-ee2e-4c80-a61c-0ca700dbc006.json index 0df7f33acf..339f828379 100644 --- a/ics-attack/relationship/relationship--dfc355bd-ee2e-4c80-a61c-0ca700dbc006.json +++ b/ics-attack/relationship/relationship--dfc355bd-ee2e-4c80-a61c-0ca700dbc006.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9d31da78-aeab-4b6f-92e4-ef4ca834c346", + "id": "bundle--dc32d614-0100-4a22-b038-dd3a397fccdc", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--105c127f-2777-452e-bf61-b0786ee13861", "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", diff --git a/ics-attack/relationship/relationship--dfc6fb8e-87f4-4a50-a21e-1df2ad35d3c6.json b/ics-attack/relationship/relationship--dfc6fb8e-87f4-4a50-a21e-1df2ad35d3c6.json index 3862d4b167..85641cc5e3 100644 --- a/ics-attack/relationship/relationship--dfc6fb8e-87f4-4a50-a21e-1df2ad35d3c6.json +++ b/ics-attack/relationship/relationship--dfc6fb8e-87f4-4a50-a21e-1df2ad35d3c6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--084e6255-b355-4a95-9390-0b4e2dc57819", + "id": "bundle--625091db-b0ff-4cd9-88a7-637ef9980442", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--dfc6fb8e-87f4-4a50-a21e-1df2ad35d3c6", "created": "2025-09-29T19:03:53.406Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--dfcfa2cf-6873-46a7-a924-68783378c15d.json b/ics-attack/relationship/relationship--dfcfa2cf-6873-46a7-a924-68783378c15d.json new file mode 100644 index 0000000000..4ac0bd549a --- /dev/null +++ b/ics-attack/relationship/relationship--dfcfa2cf-6873-46a7-a924-68783378c15d.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--784e5fb7-1429-4c03-8c65-6d2e8866b3e6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--dfcfa2cf-6873-46a7-a924-68783378c15d", + "created": "2026-04-22T13:54:19.768Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T13:54:19.768Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--dfd0dc6c-33ad-44a4-9def-1d8e23e278fb.json b/ics-attack/relationship/relationship--dfd0dc6c-33ad-44a4-9def-1d8e23e278fb.json index 9f7d01a5b8..ef07a6becd 100644 --- a/ics-attack/relationship/relationship--dfd0dc6c-33ad-44a4-9def-1d8e23e278fb.json +++ b/ics-attack/relationship/relationship--dfd0dc6c-33ad-44a4-9def-1d8e23e278fb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1d8a78dd-1687-4e18-b395-990b60a2027a", + "id": "bundle--96bf72a4-633e-4478-8752-c8bb1866a2b8", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--dfd0dc6c-33ad-44a4-9def-1d8e23e278fb", "created": "2022-04-15T22:05:32.209Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T22:52:24.900Z", - "description": "", "relationship_type": "revoked-by", "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", "target_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", diff --git a/ics-attack/relationship/relationship--17d5794d-dcd5-4e0f-87e4-87d41c24b5fa.json b/ics-attack/relationship/relationship--e00efbb9-4663-4a0a-8fbe-d7dcc4395fc9.json similarity index 71% rename from ics-attack/relationship/relationship--17d5794d-dcd5-4e0f-87e4-87d41c24b5fa.json rename to ics-attack/relationship/relationship--e00efbb9-4663-4a0a-8fbe-d7dcc4395fc9.json index 10ef9624b8..1e68a8f8e3 100644 --- a/ics-attack/relationship/relationship--17d5794d-dcd5-4e0f-87e4-87d41c24b5fa.json +++ b/ics-attack/relationship/relationship--e00efbb9-4663-4a0a-8fbe-d7dcc4395fc9.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--2946a731-e38a-4d59-a23b-373a711230d6", + "id": "bundle--76d62735-0321-4604-a6a8-10bc91cfc1f4", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--17d5794d-dcd5-4e0f-87e4-87d41c24b5fa", + "id": "relationship--e00efbb9-4663-4a0a-8fbe-d7dcc4395fc9", "created": "2023-10-02T20:18:01.546Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:17.536Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "source_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e0613dac-bb51-482a-b005-f58cf7a69e7b.json b/ics-attack/relationship/relationship--e0613dac-bb51-482a-b005-f58cf7a69e7b.json new file mode 100644 index 0000000000..8fcb017ba0 --- /dev/null +++ b/ics-attack/relationship/relationship--e0613dac-bb51-482a-b005-f58cf7a69e7b.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--8d247b2c-4d8e-46cb-9c5f-dbbd7e55cc60", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e0613dac-bb51-482a-b005-f58cf7a69e7b", + "created": "2026-04-22T22:47:42.854Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:47:42.854Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e09e253c-fd28-49ae-988e-1f80d769e8b8.json b/ics-attack/relationship/relationship--e09e253c-fd28-49ae-988e-1f80d769e8b8.json index 0042a86d30..89a0c4f237 100644 --- a/ics-attack/relationship/relationship--e09e253c-fd28-49ae-988e-1f80d769e8b8.json +++ b/ics-attack/relationship/relationship--e09e253c-fd28-49ae-988e-1f80d769e8b8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8023ff9e-9d51-40c2-ab52-8f06f0f97044", + "id": "bundle--ead16120-36be-4693-9826-5e5cebc451a3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e0aee02c-b424-4781-be10-793d71594c31.json b/ics-attack/relationship/relationship--e0aee02c-b424-4781-be10-793d71594c31.json index bab94b945a..96cdf25a7c 100644 --- a/ics-attack/relationship/relationship--e0aee02c-b424-4781-be10-793d71594c31.json +++ b/ics-attack/relationship/relationship--e0aee02c-b424-4781-be10-793d71594c31.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a17398d3-9565-4270-9f6f-788981fe2f4f", + "id": "bundle--81e3a7f3-5776-4b24-89ce-f8f431dfd66e", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--e0aee02c-b424-4781-be10-793d71594c31", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", diff --git a/ics-attack/relationship/relationship--e0d101cc-1284-4e88-82d6-227fe5d19d8a.json b/ics-attack/relationship/relationship--e0d101cc-1284-4e88-82d6-227fe5d19d8a.json index 3de30bc83e..dfedd29a98 100644 --- a/ics-attack/relationship/relationship--e0d101cc-1284-4e88-82d6-227fe5d19d8a.json +++ b/ics-attack/relationship/relationship--e0d101cc-1284-4e88-82d6-227fe5d19d8a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7ab765b7-2d8e-4d02-bf8f-e1592ccc2a99", + "id": "bundle--b27420d8-734d-4570-9170-c422d51bbed4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e0da1f92-82b1-4096-86c4-1aef58ca89fb.json b/ics-attack/relationship/relationship--e0da1f92-82b1-4096-86c4-1aef58ca89fb.json index 37c17f8432..a3c64bbe2b 100644 --- a/ics-attack/relationship/relationship--e0da1f92-82b1-4096-86c4-1aef58ca89fb.json +++ b/ics-attack/relationship/relationship--e0da1f92-82b1-4096-86c4-1aef58ca89fb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--079946c1-0cc8-435d-ad5b-254ca59aaea7", + "id": "bundle--75bba1f6-6ff9-4ec9-8df0-a6f72d5ffb11", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--e0da1f92-82b1-4096-86c4-1aef58ca89fb", "created": "2023-03-10T20:08:40.601Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Marshall Abrams July 2008", diff --git a/ics-attack/relationship/relationship--e100841e-fe9f-452f-8396-9aa635255efb.json b/ics-attack/relationship/relationship--e100841e-fe9f-452f-8396-9aa635255efb.json new file mode 100644 index 0000000000..decee52b07 --- /dev/null +++ b/ics-attack/relationship/relationship--e100841e-fe9f-452f-8396-9aa635255efb.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--fc412a50-26b2-4477-9b44-82a169241713", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e100841e-fe9f-452f-8396-9aa635255efb", + "created": "2026-04-22T21:37:58.480Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:37:58.480Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--bb141168-ae41-4974-8ece-dc9b63e59237", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e1269074-37f4-460b-8a2a-cd26892d4f8e.json b/ics-attack/relationship/relationship--e1269074-37f4-460b-8a2a-cd26892d4f8e.json index a53ec61653..0462c10adc 100644 --- a/ics-attack/relationship/relationship--e1269074-37f4-460b-8a2a-cd26892d4f8e.json +++ b/ics-attack/relationship/relationship--e1269074-37f4-460b-8a2a-cd26892d4f8e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bbb8926b-69c0-451c-91ca-265c9dbdb9d5", + "id": "bundle--182524c6-458a-4a38-9d37-bd2f11dce849", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--e1269074-37f4-460b-8a2a-cd26892d4f8e", "created": "2023-09-28T19:42:54.009Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:07.806Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--e156609f-c30b-4bf5-8a1b-9689ba778a14.json b/ics-attack/relationship/relationship--e156609f-c30b-4bf5-8a1b-9689ba778a14.json index 231bd42376..557606a1a3 100644 --- a/ics-attack/relationship/relationship--e156609f-c30b-4bf5-8a1b-9689ba778a14.json +++ b/ics-attack/relationship/relationship--e156609f-c30b-4bf5-8a1b-9689ba778a14.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2e32a0fa-3592-4479-9bb8-5f801d6e9948", + "id": "bundle--d5c431c6-6ecd-4295-bbd9-56f1564145c5", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--e156609f-c30b-4bf5-8a1b-9689ba778a14", "created": "2023-03-31T17:44:45.164Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos Crashoverride 2018", diff --git a/ics-attack/relationship/relationship--e1653814-74cd-4885-906f-b3af88452917.json b/ics-attack/relationship/relationship--e1653814-74cd-4885-906f-b3af88452917.json new file mode 100644 index 0000000000..37da46e1d3 --- /dev/null +++ b/ics-attack/relationship/relationship--e1653814-74cd-4885-906f-b3af88452917.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--60a9a3b5-6599-443e-93e8-609e75fe16f8", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e1653814-74cd-4885-906f-b3af88452917", + "created": "2026-04-23T00:06:22.758Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T20:06:59.502Z", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations.(Citation: Department of Homeland Security September 2016)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e17c3b74-69d8-47b2-88d4-adcaf418ab74.json b/ics-attack/relationship/relationship--e17c3b74-69d8-47b2-88d4-adcaf418ab74.json index 3011fbfd07..df4fea36fc 100644 --- a/ics-attack/relationship/relationship--e17c3b74-69d8-47b2-88d4-adcaf418ab74.json +++ b/ics-attack/relationship/relationship--e17c3b74-69d8-47b2-88d4-adcaf418ab74.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2f4810a5-2430-4420-9e18-59551f60fe6d", + "id": "bundle--316bf6b4-d83b-4343-b4ef-334033917767", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--e17c3b74-69d8-47b2-88d4-adcaf418ab74", "created": "2023-09-29T17:08:48.251Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:08.436Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", diff --git a/ics-attack/relationship/relationship--e1f28ed0-ec35-4792-ae02-a2d003bd3df4.json b/ics-attack/relationship/relationship--e1f28ed0-ec35-4792-ae02-a2d003bd3df4.json index fd720ba3f1..37e1be9468 100644 --- a/ics-attack/relationship/relationship--e1f28ed0-ec35-4792-ae02-a2d003bd3df4.json +++ b/ics-attack/relationship/relationship--e1f28ed0-ec35-4792-ae02-a2d003bd3df4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eed61676-4f9f-416e-ab86-431cf410b389", + "id": "bundle--e7f71b92-5616-4074-9628-57c274bbc992", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--e1f28ed0-ec35-4792-ae02-a2d003bd3df4", "created": "2023-09-28T20:09:07.381Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:08.845Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--e257913e-40ba-4a05-ba97-0c3175c966b5.json b/ics-attack/relationship/relationship--e257913e-40ba-4a05-ba97-0c3175c966b5.json index 28b8603c27..8d24b2f7bb 100644 --- a/ics-attack/relationship/relationship--e257913e-40ba-4a05-ba97-0c3175c966b5.json +++ b/ics-attack/relationship/relationship--e257913e-40ba-4a05-ba97-0c3175c966b5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1f6ad9d5-879a-4b41-b78c-d521c2dd6419", + "id": "bundle--23e152f2-53c0-4cf0-9741-26fc90fb78d9", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--e257913e-40ba-4a05-ba97-0c3175c966b5", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", diff --git a/ics-attack/relationship/relationship--e323dee4-a896-4a82-85f5-d51d311b0437.json b/ics-attack/relationship/relationship--e323dee4-a896-4a82-85f5-d51d311b0437.json index bc3e9af232..36d44881ef 100644 --- a/ics-attack/relationship/relationship--e323dee4-a896-4a82-85f5-d51d311b0437.json +++ b/ics-attack/relationship/relationship--e323dee4-a896-4a82-85f5-d51d311b0437.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0aa92b5a-b972-4907-870d-2a0ae4786d9f", + "id": "bundle--3103ce1c-e23b-4fbe-b474-5f2bfc820d65", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--e323dee4-a896-4a82-85f5-d51d311b0437", "created": "2021-04-12T18:49:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Max Heinemeyer February 2020", diff --git a/ics-attack/relationship/relationship--e347c1e5-0c5b-42bb-b8d4-fafba4bcd319.json b/ics-attack/relationship/relationship--e347c1e5-0c5b-42bb-b8d4-fafba4bcd319.json new file mode 100644 index 0000000000..d6cfaccae0 --- /dev/null +++ b/ics-attack/relationship/relationship--e347c1e5-0c5b-42bb-b8d4-fafba4bcd319.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--139949dc-d2d9-4661-b63a-e5a71d5ac1b4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e347c1e5-0c5b-42bb-b8d4-fafba4bcd319", + "created": "2026-04-22T16:35:10.762Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:35:10.762Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e36e7e4d-fb9f-4396-bbc2-260dfc53cf8b.json b/ics-attack/relationship/relationship--e36e7e4d-fb9f-4396-bbc2-260dfc53cf8b.json new file mode 100644 index 0000000000..2035540db2 --- /dev/null +++ b/ics-attack/relationship/relationship--e36e7e4d-fb9f-4396-bbc2-260dfc53cf8b.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--007822e8-6ae6-4e09-bde9-3474263f8823", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e36e7e4d-fb9f-4396-bbc2-260dfc53cf8b", + "created": "2026-04-20T20:54:18.551Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:54:18.551Z", + "relationship_type": "subtechnique-of", + "source_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e3923fcf-5580-4c1e-bc55-33f67792cc00.json b/ics-attack/relationship/relationship--e3923fcf-5580-4c1e-bc55-33f67792cc00.json index 1aacdfe3c2..af7d6007e9 100644 --- a/ics-attack/relationship/relationship--e3923fcf-5580-4c1e-bc55-33f67792cc00.json +++ b/ics-attack/relationship/relationship--e3923fcf-5580-4c1e-bc55-33f67792cc00.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e3d79e8d-4fde-4774-ac33-c95ee36f255e", + "id": "bundle--e17a0d77-a3db-406e-a1c7-6a15f6541134", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--e3923fcf-5580-4c1e-bc55-33f67792cc00", "created": "2022-09-28T20:25:51.024Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos-Pipedream", diff --git a/ics-attack/relationship/relationship--e3b04152-0c90-41ff-a333-c5163fa9714f.json b/ics-attack/relationship/relationship--e3b04152-0c90-41ff-a333-c5163fa9714f.json index 461985f74f..0e4a09b2f1 100644 --- a/ics-attack/relationship/relationship--e3b04152-0c90-41ff-a333-c5163fa9714f.json +++ b/ics-attack/relationship/relationship--e3b04152-0c90-41ff-a333-c5163fa9714f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d88c6a67-98af-4ed2-b239-a203bb9de66a", + "id": "bundle--9e1def24-3e68-4393-8760-a54178adf9cd", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--e3b04152-0c90-41ff-a333-c5163fa9714f", "created": "2023-09-29T17:41:22.619Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:09.685Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--e41a04fe-a142-4294-a9f2-576214e1f985.json b/ics-attack/relationship/relationship--e41a04fe-a142-4294-a9f2-576214e1f985.json index d13d38a547..983b3cf9ae 100644 --- a/ics-attack/relationship/relationship--e41a04fe-a142-4294-a9f2-576214e1f985.json +++ b/ics-attack/relationship/relationship--e41a04fe-a142-4294-a9f2-576214e1f985.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c01341ec-e0fa-4d20-a623-cc6a2f508218", + "id": "bundle--4e52180e-a20c-4d34-a3dc-a4e003850812", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--e41a04fe-a142-4294-a9f2-576214e1f985", "created": "2024-04-09T20:48:04.616Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:09.881Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--e434db5d-f201-4411-825f-4a50e1e78c75.json b/ics-attack/relationship/relationship--e434db5d-f201-4411-825f-4a50e1e78c75.json index 4050bd8055..ff17d9a2f0 100644 --- a/ics-attack/relationship/relationship--e434db5d-f201-4411-825f-4a50e1e78c75.json +++ b/ics-attack/relationship/relationship--e434db5d-f201-4411-825f-4a50e1e78c75.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9c1e4baa-5b22-41e0-ad3f-0516294e87bf", + "id": "bundle--f0b17358-39e3-44cb-a2d5-3d4271b87bb2", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--e434db5d-f201-4411-825f-4a50e1e78c75", "created": "2023-09-29T17:06:20.834Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:10.093Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", diff --git a/ics-attack/relationship/relationship--e4850ba4-7933-4518-a9af-667cb99ff7f6.json b/ics-attack/relationship/relationship--e4850ba4-7933-4518-a9af-667cb99ff7f6.json new file mode 100644 index 0000000000..685332128f --- /dev/null +++ b/ics-attack/relationship/relationship--e4850ba4-7933-4518-a9af-667cb99ff7f6.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--14cf9257-4308-4768-bc5c-415c2fc6fb90", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e4850ba4-7933-4518-a9af-667cb99ff7f6", + "created": "2026-04-22T20:27:19.955Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:27:19.955Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries stole sensitive operational information that was used to plan the attack on the operational technology systems.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e4897cee-6e09-440d-89fe-a299c696bb92.json b/ics-attack/relationship/relationship--e4897cee-6e09-440d-89fe-a299c696bb92.json new file mode 100644 index 0000000000..23932ffbfe --- /dev/null +++ b/ics-attack/relationship/relationship--e4897cee-6e09-440d-89fe-a299c696bb92.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--930702eb-635f-4c82-80db-8d09ddb2c42e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e4897cee-6e09-440d-89fe-a299c696bb92", + "created": "2026-04-22T16:37:32.002Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:37:32.002Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e49e0138-4247-4f3e-a42c-f0dab2f6ffbc.json b/ics-attack/relationship/relationship--e49e0138-4247-4f3e-a42c-f0dab2f6ffbc.json index 2744929de4..f59a9dfa67 100644 --- a/ics-attack/relationship/relationship--e49e0138-4247-4f3e-a42c-f0dab2f6ffbc.json +++ b/ics-attack/relationship/relationship--e49e0138-4247-4f3e-a42c-f0dab2f6ffbc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ec2218f7-c951-4c04-8831-381e752a2144", + "id": "bundle--aff5ea81-614a-40f0-a170-224324e2a141", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--e49e0138-4247-4f3e-a42c-f0dab2f6ffbc", "created": "2023-09-29T18:49:44.351Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:10.309Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--e49fb083-b1aa-4ac9-a99e-7e9ea1542e32.json b/ics-attack/relationship/relationship--e49fb083-b1aa-4ac9-a99e-7e9ea1542e32.json new file mode 100644 index 0000000000..28c8aef69a --- /dev/null +++ b/ics-attack/relationship/relationship--e49fb083-b1aa-4ac9-a99e-7e9ea1542e32.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--3bea1843-c64d-46a1-bcb0-6d76ce1f59fe", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e49fb083-b1aa-4ac9-a99e-7e9ea1542e32", + "created": "2026-04-22T20:11:05.522Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:02:35.035Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used `nslookup` and `ping` to conduct remote system discovery activities.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e4bc29f2-87c8-491d-b51b-d6cede7c1972.json b/ics-attack/relationship/relationship--e4bc29f2-87c8-491d-b51b-d6cede7c1972.json index 2340753633..d0bb95175b 100644 --- a/ics-attack/relationship/relationship--e4bc29f2-87c8-491d-b51b-d6cede7c1972.json +++ b/ics-attack/relationship/relationship--e4bc29f2-87c8-491d-b51b-d6cede7c1972.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f3a868c6-b83e-4642-a142-8c342bebbc0c", + "id": "bundle--9633be22-7a3d-49b0-a27c-c505874334b2", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--e4bc29f2-87c8-491d-b51b-d6cede7c1972", "created": "2023-09-29T16:45:33.777Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:10.725Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--e4c62e59-d14e-4cbc-a4a9-4f64bd523d5a.json b/ics-attack/relationship/relationship--e4c62e59-d14e-4cbc-a4a9-4f64bd523d5a.json index 46b0d38019..5132e36fcc 100644 --- a/ics-attack/relationship/relationship--e4c62e59-d14e-4cbc-a4a9-4f64bd523d5a.json +++ b/ics-attack/relationship/relationship--e4c62e59-d14e-4cbc-a4a9-4f64bd523d5a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d2c6563a-56d8-4acc-9209-2a102775a1b4", + "id": "bundle--64990508-cf75-4816-bf20-875784d84c06", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--e4c62e59-d14e-4cbc-a4a9-4f64bd523d5a", "created": "2024-04-09T21:00:11.159Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:10.930Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", diff --git a/ics-attack/relationship/relationship--e4c87389-950e-45ab-b53a-3cafb21c08a3.json b/ics-attack/relationship/relationship--e4c87389-950e-45ab-b53a-3cafb21c08a3.json new file mode 100644 index 0000000000..c2989dc416 --- /dev/null +++ b/ics-attack/relationship/relationship--e4c87389-950e-45ab-b53a-3cafb21c08a3.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--18bc179b-c793-402d-8402-c720d3f57ee5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e4c87389-950e-45ab-b53a-3cafb21c08a3", + "created": "2026-04-22T20:15:55.649Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:15:55.649Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e4e37e2e-c6fc-4a67-a1c5-b349b1cd5a79.json b/ics-attack/relationship/relationship--e4e37e2e-c6fc-4a67-a1c5-b349b1cd5a79.json index cbeb7382bb..25df6d1a4b 100644 --- a/ics-attack/relationship/relationship--e4e37e2e-c6fc-4a67-a1c5-b349b1cd5a79.json +++ b/ics-attack/relationship/relationship--e4e37e2e-c6fc-4a67-a1c5-b349b1cd5a79.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--13938afd-a884-442a-b1b4-efdd4008bf47", + "id": "bundle--bebbe9c3-c5a7-404c-9f70-a55dd739abfc", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--e4e37e2e-c6fc-4a67-a1c5-b349b1cd5a79", "created": "2025-09-29T19:09:16.239Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--e56064d9-388d-45b3-99a9-4eeec2e681da.json b/ics-attack/relationship/relationship--e56064d9-388d-45b3-99a9-4eeec2e681da.json new file mode 100644 index 0000000000..a5ac4b8ca2 --- /dev/null +++ b/ics-attack/relationship/relationship--e56064d9-388d-45b3-99a9-4eeec2e681da.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--a7b520bc-7cc9-464b-8ae1-36e15cb483f1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e56064d9-388d-45b3-99a9-4eeec2e681da", + "created": "2026-04-22T22:42:50.619Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:42:50.619Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--feb80c7a-96cd-4300-b344-4d75b176c9cb", + "target_ref": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e5afc447-a241-4773-9a8a-3d6fd205d926.json b/ics-attack/relationship/relationship--e5afc447-a241-4773-9a8a-3d6fd205d926.json index 6465eccc1e..8930276cb0 100644 --- a/ics-attack/relationship/relationship--e5afc447-a241-4773-9a8a-3d6fd205d926.json +++ b/ics-attack/relationship/relationship--e5afc447-a241-4773-9a8a-3d6fd205d926.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--77893b12-6001-4e82-bcec-087459463fd0", + "id": "bundle--c701a29d-7d56-4eae-9d93-e8faac88efc0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e5c9aacb-51e3-41d3-995d-9e6ed04a2454.json b/ics-attack/relationship/relationship--e5c9aacb-51e3-41d3-995d-9e6ed04a2454.json index 97fa873ac7..3176cfb4c3 100644 --- a/ics-attack/relationship/relationship--e5c9aacb-51e3-41d3-995d-9e6ed04a2454.json +++ b/ics-attack/relationship/relationship--e5c9aacb-51e3-41d3-995d-9e6ed04a2454.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c5d87229-7033-4124-b7d3-f23c843a3d7e", + "id": "bundle--241bd870-ac7d-4493-9330-612d5175fd73", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--e5c9aacb-51e3-41d3-995d-9e6ed04a2454", "created": "2023-10-02T20:17:51.320Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:11.594Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", diff --git a/ics-attack/relationship/relationship--e607bb66-e53f-4684-b3f1-36a997e27d01.json b/ics-attack/relationship/relationship--e607bb66-e53f-4684-b3f1-36a997e27d01.json index 647a65c894..59bea3669b 100644 --- a/ics-attack/relationship/relationship--e607bb66-e53f-4684-b3f1-36a997e27d01.json +++ b/ics-attack/relationship/relationship--e607bb66-e53f-4684-b3f1-36a997e27d01.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--add80098-2c69-402c-a2fe-e0996c9a17aa", + "id": "bundle--ce21b619-4626-4085-9482-026b4341b32f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e62235fe-0546-4755-ad01-fedce306ef89.json b/ics-attack/relationship/relationship--e62235fe-0546-4755-ad01-fedce306ef89.json new file mode 100644 index 0000000000..dde3bda4a0 --- /dev/null +++ b/ics-attack/relationship/relationship--e62235fe-0546-4755-ad01-fedce306ef89.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--17a0e181-1e60-420a-9dd6-0a80e47c1a02", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e62235fe-0546-4755-ad01-fedce306ef89", + "created": "2026-04-22T13:57:10.500Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + }, + { + "source_name": "Dwight Anderson 2014", + "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" + }, + { + "source_name": "Karen Scarfone; Paul Hoffman September 2009", + "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", + "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" + }, + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T18:56:47.911Z", + "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment.(Citation: Karen Scarfone; Paul Hoffman September 2009)(Citation: Keith Stouffer May 2015)(Citation: Department of Homeland Security September 2016)(Citation: Dwight Anderson 2014) ", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e627461f-f2cc-427b-8896-72db160bca24.json b/ics-attack/relationship/relationship--e627461f-f2cc-427b-8896-72db160bca24.json new file mode 100644 index 0000000000..de80082d2e --- /dev/null +++ b/ics-attack/relationship/relationship--e627461f-f2cc-427b-8896-72db160bca24.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--235cb7a5-6c9d-46e2-ade2-f81b2102bf9e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e627461f-f2cc-427b-8896-72db160bca24", + "created": "2026-04-22T21:42:46.708Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T17:00:44.990Z", + "description": "Implement network allowlists to minimize network access to only authorized hosts.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf.json b/ics-attack/relationship/relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf.json index aa41c9c78f..4b36e142bb 100644 --- a/ics-attack/relationship/relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf.json +++ b/ics-attack/relationship/relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2cd07aee-b85b-429b-a613-9d2cd6ae31d8", + "id": "bundle--32190566-b920-4a6c-bee8-d52355b4a456", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13.json b/ics-attack/relationship/relationship--e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13.json index 43297b8ffe..4fc39e58f8 100644 --- a/ics-attack/relationship/relationship--e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13.json +++ b/ics-attack/relationship/relationship--e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d945a7fd-2ccf-4f0f-9f61-0846330609a9", + "id": "bundle--694dabc1-d69c-4869-9e5c-271bfff4abf6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--09977105-562f-4f45-a151-27a11a18031e.json b/ics-attack/relationship/relationship--e70d04d1-51e3-4d43-b3dd-111daeea14f9.json similarity index 74% rename from ics-attack/relationship/relationship--09977105-562f-4f45-a151-27a11a18031e.json rename to ics-attack/relationship/relationship--e70d04d1-51e3-4d43-b3dd-111daeea14f9.json index 65bcdff8c7..52ee7ac94c 100644 --- a/ics-attack/relationship/relationship--09977105-562f-4f45-a151-27a11a18031e.json +++ b/ics-attack/relationship/relationship--e70d04d1-51e3-4d43-b3dd-111daeea14f9.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--e7a17caf-4147-42d1-b771-6ccaab9001b2", + "id": "bundle--2e45f6e8-0588-424e-86ea-3e14b29a730c", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--09977105-562f-4f45-a151-27a11a18031e", + "id": "relationship--e70d04d1-51e3-4d43-b3dd-111daeea14f9", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a75ddacf-e87e-4a99-83f2-618486473163.json b/ics-attack/relationship/relationship--e7564f70-9f10-4135-9803-842cd3d2a02f.json similarity index 72% rename from ics-attack/relationship/relationship--a75ddacf-e87e-4a99-83f2-618486473163.json rename to ics-attack/relationship/relationship--e7564f70-9f10-4135-9803-842cd3d2a02f.json index da5049fc32..938007f34b 100644 --- a/ics-attack/relationship/relationship--a75ddacf-e87e-4a99-83f2-618486473163.json +++ b/ics-attack/relationship/relationship--e7564f70-9f10-4135-9803-842cd3d2a02f.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--d74a221e-dcc3-4ee7-a088-51274106d388", + "id": "bundle--a4e977e2-b9d3-46f4-8a0e-6acf9f5f31e4", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--a75ddacf-e87e-4a99-83f2-618486473163", + "id": "relationship--e7564f70-9f10-4135-9803-842cd3d2a02f", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "Patch the BIOS and EFI as necessary.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e75f88e6-1ffb-467b-b488-46e91cb3e1e9.json b/ics-attack/relationship/relationship--e75f88e6-1ffb-467b-b488-46e91cb3e1e9.json index 9c91022e09..826c38d9cf 100644 --- a/ics-attack/relationship/relationship--e75f88e6-1ffb-467b-b488-46e91cb3e1e9.json +++ b/ics-attack/relationship/relationship--e75f88e6-1ffb-467b-b488-46e91cb3e1e9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eabff718-4546-4462-b808-dd35181333f0", + "id": "bundle--195cd61d-228a-4c4f-bceb-d8a3d5ee796a", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--e75f88e6-1ffb-467b-b488-46e91cb3e1e9", "created": "2023-09-28T19:42:16.270Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:12.625Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--e767c178-e4b2-490a-b544-bb1b2d6c7de4.json b/ics-attack/relationship/relationship--e767c178-e4b2-490a-b544-bb1b2d6c7de4.json index 7f436b5937..2f5db8340f 100644 --- a/ics-attack/relationship/relationship--e767c178-e4b2-490a-b544-bb1b2d6c7de4.json +++ b/ics-attack/relationship/relationship--e767c178-e4b2-490a-b544-bb1b2d6c7de4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c0916643-6cd6-4acd-a328-7c84d65396e7", + "id": "bundle--d141e8a0-3dfe-4f71-9548-1d2ce415125d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e79825fb-3bd0-41e7-9bdd-257cd3ab44a2.json b/ics-attack/relationship/relationship--e79825fb-3bd0-41e7-9bdd-257cd3ab44a2.json index 0c5638b77a..b4c5c4be9e 100644 --- a/ics-attack/relationship/relationship--e79825fb-3bd0-41e7-9bdd-257cd3ab44a2.json +++ b/ics-attack/relationship/relationship--e79825fb-3bd0-41e7-9bdd-257cd3ab44a2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8618f403-1cae-4161-b279-ac8fe8c444b2", + "id": "bundle--4362428d-22d5-4ee6-855e-16a6dd92d930", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--e79825fb-3bd0-41e7-9bdd-257cd3ab44a2", "created": "2023-09-29T16:45:20.769Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:13.276Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--e7b44697-7269-427c-a825-3c41ec6dc385.json b/ics-attack/relationship/relationship--e7b44697-7269-427c-a825-3c41ec6dc385.json new file mode 100644 index 0000000000..d3b58f3526 --- /dev/null +++ b/ics-attack/relationship/relationship--e7b44697-7269-427c-a825-3c41ec6dc385.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--3ffb62bc-69a5-4497-a8e3-6a8f8ea9a89c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e7b44697-7269-427c-a825-3c41ec6dc385", + "created": "2026-04-20T20:58:43.015Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:58:43.015Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "target_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e7c3b02a-a932-4561-b812-5cfadd7f9b2f.json b/ics-attack/relationship/relationship--e7c3b02a-a932-4561-b812-5cfadd7f9b2f.json index db76293551..984f2bd9a9 100644 --- a/ics-attack/relationship/relationship--e7c3b02a-a932-4561-b812-5cfadd7f9b2f.json +++ b/ics-attack/relationship/relationship--e7c3b02a-a932-4561-b812-5cfadd7f9b2f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7c3c8370-a58b-4f1c-83ea-543a5feaad8c", + "id": "bundle--1e21b9fc-5858-47db-b455-de2b367bb272", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--e7c3b02a-a932-4561-b812-5cfadd7f9b2f", "created": "2024-11-20T23:25:47.710Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos FROSTYGOOP 2024", diff --git a/ics-attack/relationship/relationship--e7eca1f8-1c88-4d99-996c-b93e0c66f063.json b/ics-attack/relationship/relationship--e7eca1f8-1c88-4d99-996c-b93e0c66f063.json index a19043d0c9..f92073f9da 100644 --- a/ics-attack/relationship/relationship--e7eca1f8-1c88-4d99-996c-b93e0c66f063.json +++ b/ics-attack/relationship/relationship--e7eca1f8-1c88-4d99-996c-b93e0c66f063.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ebc5b05d-48b1-4c39-9365-8aa8d22a8848", + "id": "bundle--89c3192e-a77f-494b-b7be-9e3389c33b6b", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--e7eca1f8-1c88-4d99-996c-b93e0c66f063", "created": "2025-09-29T19:57:33.616Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--e8076aaa-25e1-48cf-afcd-2365a67a8029.json b/ics-attack/relationship/relationship--e8076aaa-25e1-48cf-afcd-2365a67a8029.json new file mode 100644 index 0000000000..606a40024a --- /dev/null +++ b/ics-attack/relationship/relationship--e8076aaa-25e1-48cf-afcd-2365a67a8029.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--450ee420-524b-4f4c-b4f9-7a15e7f28254", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e8076aaa-25e1-48cf-afcd-2365a67a8029", + "created": "2026-04-22T22:51:11.523Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:51:11.523Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e83a79df-2555-4b2f-9ade-b9ed2689ae42.json b/ics-attack/relationship/relationship--e83a79df-2555-4b2f-9ade-b9ed2689ae42.json index f473cfe32e..0503a88f57 100644 --- a/ics-attack/relationship/relationship--e83a79df-2555-4b2f-9ade-b9ed2689ae42.json +++ b/ics-attack/relationship/relationship--e83a79df-2555-4b2f-9ade-b9ed2689ae42.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3f3a3223-038a-4dca-8dd4-7967e64094c0", + "id": "bundle--63a64590-61c3-4cb5-8f00-1e4b3bb74019", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--e83a79df-2555-4b2f-9ade-b9ed2689ae42", "created": "2023-09-29T16:39:41.736Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:13.666Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--e852e64c-b5e0-4e7f-a189-bbc7aa7932c7.json b/ics-attack/relationship/relationship--e852e64c-b5e0-4e7f-a189-bbc7aa7932c7.json index bc05003dd7..facd41ce12 100644 --- a/ics-attack/relationship/relationship--e852e64c-b5e0-4e7f-a189-bbc7aa7932c7.json +++ b/ics-attack/relationship/relationship--e852e64c-b5e0-4e7f-a189-bbc7aa7932c7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5983d586-ce21-46ec-818c-cd4afe13adc0", + "id": "bundle--ba6aaf0c-1cd8-449b-8522-ed1ad4a57cf8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e8a72417-2ff1-4bb7-93c2-17fa0c274d3d.json b/ics-attack/relationship/relationship--e8a72417-2ff1-4bb7-93c2-17fa0c274d3d.json new file mode 100644 index 0000000000..a002a62402 --- /dev/null +++ b/ics-attack/relationship/relationship--e8a72417-2ff1-4bb7-93c2-17fa0c274d3d.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--b6cad647-3aa1-4960-8e89-16cc5c5873c7", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e8a72417-2ff1-4bb7-93c2-17fa0c274d3d", + "created": "2026-04-22T19:50:26.088Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T19:50:26.088Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries gained initial access by compromising Fortinet edge devices. (Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15.json b/ics-attack/relationship/relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15.json index 0ff01216c5..1071441a8d 100644 --- a/ics-attack/relationship/relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15.json +++ b/ics-attack/relationship/relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--79f84adb-f836-4b57-b1ed-f0cb8655d6c8", + "id": "bundle--f922d0f0-c4d5-44cd-84e6-e45bc7807241", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e8eaac2d-a4bf-408f-b24f-14471db7059b.json b/ics-attack/relationship/relationship--e8eaac2d-a4bf-408f-b24f-14471db7059b.json index e52246343c..5118f37b9c 100644 --- a/ics-attack/relationship/relationship--e8eaac2d-a4bf-408f-b24f-14471db7059b.json +++ b/ics-attack/relationship/relationship--e8eaac2d-a4bf-408f-b24f-14471db7059b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--32b6e091-2c20-4dcd-903f-76fb78478c08", + "id": "bundle--c6e48281-16b8-40bd-bde4-ad0b3914380c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e8ef9bb9-1335-4418-b788-f8220dbbe4c8.json b/ics-attack/relationship/relationship--e8ef9bb9-1335-4418-b788-f8220dbbe4c8.json index c3e30a0031..815bf0eb25 100644 --- a/ics-attack/relationship/relationship--e8ef9bb9-1335-4418-b788-f8220dbbe4c8.json +++ b/ics-attack/relationship/relationship--e8ef9bb9-1335-4418-b788-f8220dbbe4c8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--50450d3b-94e4-4352-9a07-83401a2032c8", + "id": "bundle--d8f7d92f-3cb8-4b19-aa84-98c7168f2fdb", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--e8ef9bb9-1335-4418-b788-f8220dbbe4c8", "created": "2023-09-28T19:50:30.312Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:14.760Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--e915e12c-3d0c-4f60-b119-9414940abb0b.json b/ics-attack/relationship/relationship--e915e12c-3d0c-4f60-b119-9414940abb0b.json index 92b7f5d5da..9ec7a2727d 100644 --- a/ics-attack/relationship/relationship--e915e12c-3d0c-4f60-b119-9414940abb0b.json +++ b/ics-attack/relationship/relationship--e915e12c-3d0c-4f60-b119-9414940abb0b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c0a4dde7-54ee-4c9e-b972-bfaaf2ec73e1", + "id": "bundle--c5bbb60c-44cd-4ba1-9c80-03c238fc2a92", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--e915e12c-3d0c-4f60-b119-9414940abb0b", "created": "2023-09-28T20:08:27.145Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:14.982Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--e95fe824-4df1-49a2-abf7-5d76fb47ef42.json b/ics-attack/relationship/relationship--e95fe824-4df1-49a2-abf7-5d76fb47ef42.json index 7ebb7e5a63..54154f0618 100644 --- a/ics-attack/relationship/relationship--e95fe824-4df1-49a2-abf7-5d76fb47ef42.json +++ b/ics-attack/relationship/relationship--e95fe824-4df1-49a2-abf7-5d76fb47ef42.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b5641823-5726-4e92-b4a9-eda9a2580fe2", + "id": "bundle--cc97109f-89a2-44be-acb7-33a89bf644aa", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--e95fe824-4df1-49a2-abf7-5d76fb47ef42", "created": "2023-09-28T19:45:18.672Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:15.180Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--e98892d6-e036-4140-adbb-2932dba51a19.json b/ics-attack/relationship/relationship--e98892d6-e036-4140-adbb-2932dba51a19.json index b75ee2726a..b601636640 100644 --- a/ics-attack/relationship/relationship--e98892d6-e036-4140-adbb-2932dba51a19.json +++ b/ics-attack/relationship/relationship--e98892d6-e036-4140-adbb-2932dba51a19.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--285966b3-27b7-42d4-a1f6-5f0dac6560de", + "id": "bundle--3d990769-5850-48cc-9240-fd3fb4c9fe2d", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--e98892d6-e036-4140-adbb-2932dba51a19", "created": "2023-09-28T20:08:09.519Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:15.413Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--e9f5096e-b9fc-459a-a303-88763b1269cc.json b/ics-attack/relationship/relationship--e9f5096e-b9fc-459a-a303-88763b1269cc.json index 6c91681098..517d4c07c6 100644 --- a/ics-attack/relationship/relationship--e9f5096e-b9fc-459a-a303-88763b1269cc.json +++ b/ics-attack/relationship/relationship--e9f5096e-b9fc-459a-a303-88763b1269cc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--28e58034-f1a3-4033-a384-dcb79de9160f", + "id": "bundle--8dad93bc-f986-4d9e-977f-7a3a29b1e608", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ea1ba63b-d0e1-4d1b-a098-72ce2c44a44a.json b/ics-attack/relationship/relationship--ea1ba63b-d0e1-4d1b-a098-72ce2c44a44a.json new file mode 100644 index 0000000000..c36fec1848 --- /dev/null +++ b/ics-attack/relationship/relationship--ea1ba63b-d0e1-4d1b-a098-72ce2c44a44a.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--5f74c6f7-3763-471e-9200-9d08334283c5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ea1ba63b-d0e1-4d1b-a098-72ce2c44a44a", + "created": "2026-04-22T13:50:28.914Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:38:37.483Z", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ea211d90-b379-446f-bc5e-ae7befe5a6ff.json b/ics-attack/relationship/relationship--ea211d90-b379-446f-bc5e-ae7befe5a6ff.json index 5495afad90..481b0e5916 100644 --- a/ics-attack/relationship/relationship--ea211d90-b379-446f-bc5e-ae7befe5a6ff.json +++ b/ics-attack/relationship/relationship--ea211d90-b379-446f-bc5e-ae7befe5a6ff.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--589eb3b4-81de-4dce-8185-7b81b3410fa7", + "id": "bundle--0286f992-5472-4e66-8217-0643020b65a5", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--ea211d90-b379-446f-bc5e-ae7befe5a6ff", "created": "2025-09-29T22:04:53.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--9a3e771d-d84f-4f2a-baf9-4478abdbdbcf.json b/ics-attack/relationship/relationship--ea38b054-5552-4287-b3da-c4ad7ff61e55.json similarity index 71% rename from ics-attack/relationship/relationship--9a3e771d-d84f-4f2a-baf9-4478abdbdbcf.json rename to ics-attack/relationship/relationship--ea38b054-5552-4287-b3da-c4ad7ff61e55.json index 9637afa389..30f95bddba 100644 --- a/ics-attack/relationship/relationship--9a3e771d-d84f-4f2a-baf9-4478abdbdbcf.json +++ b/ics-attack/relationship/relationship--ea38b054-5552-4287-b3da-c4ad7ff61e55.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--7bc520a0-3cbf-4432-943e-94b036ad1b97", + "id": "bundle--6dc45f1f-a8df-4b5a-a481-8cf63f850e7e", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--9a3e771d-d84f-4f2a-baf9-4478abdbdbcf", + "id": "relationship--ea38b054-5552-4287-b3da-c4ad7ff61e55", "created": "2023-09-28T20:04:32.626Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:47.761Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "source_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ea50253a-3220-458b-b810-ad032f2b182f.json b/ics-attack/relationship/relationship--ea50253a-3220-458b-b810-ad032f2b182f.json index 687e369ef9..c219cdde2e 100644 --- a/ics-attack/relationship/relationship--ea50253a-3220-458b-b810-ad032f2b182f.json +++ b/ics-attack/relationship/relationship--ea50253a-3220-458b-b810-ad032f2b182f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--37485af3-4352-4371-8bc3-f33a1cec1bc7", + "id": "bundle--9ad09cf9-1d2a-46a3-9161-60635b6cf8e3", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--ea50253a-3220-458b-b810-ad032f2b182f", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "DHS CISA February 2019", diff --git a/ics-attack/relationship/relationship--ea817c7a-9424-4204-90a5-6f8fb86037be.json b/ics-attack/relationship/relationship--ea817c7a-9424-4204-90a5-6f8fb86037be.json index 23cb174df7..3f8c24c21c 100644 --- a/ics-attack/relationship/relationship--ea817c7a-9424-4204-90a5-6f8fb86037be.json +++ b/ics-attack/relationship/relationship--ea817c7a-9424-4204-90a5-6f8fb86037be.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d550830f-bbf5-496b-8cc0-46dcf90d0352", + "id": "bundle--928a9513-247e-495d-9db8-c67f33163d6c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343.json b/ics-attack/relationship/relationship--eaa0b30e-1dea-4dad-9a1e-33da933a8158.json similarity index 74% rename from ics-attack/relationship/relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343.json rename to ics-attack/relationship/relationship--eaa0b30e-1dea-4dad-9a1e-33da933a8158.json index a792eea85f..0e4989596f 100644 --- a/ics-attack/relationship/relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343.json +++ b/ics-attack/relationship/relationship--eaa0b30e-1dea-4dad-9a1e-33da933a8158.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--004dea81-fb50-4999-8e37-01523cf88415", + "id": "bundle--0c46a610-eea9-4f8e-be2e-3f38bc5edbaf", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343", + "id": "relationship--eaa0b30e-1dea-4dad-9a1e-33da933a8158", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "Devices should verify that firmware has been properly signed by the vendor before allowing installation.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--eac550b4-3bd2-4309-8b37-b797dd0bd8a7.json b/ics-attack/relationship/relationship--eac550b4-3bd2-4309-8b37-b797dd0bd8a7.json index 2decf53227..d842303f6a 100644 --- a/ics-attack/relationship/relationship--eac550b4-3bd2-4309-8b37-b797dd0bd8a7.json +++ b/ics-attack/relationship/relationship--eac550b4-3bd2-4309-8b37-b797dd0bd8a7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--75df535e-7bcb-44c0-b2fe-5454a02d53d9", + "id": "bundle--1f80188c-8253-4c9a-8e70-4b19df51aea4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--eadb4ca5-ee99-4169-a926-95b1ff82e960.json b/ics-attack/relationship/relationship--eadb4ca5-ee99-4169-a926-95b1ff82e960.json index c6efbd6f70..f2992ba320 100644 --- a/ics-attack/relationship/relationship--eadb4ca5-ee99-4169-a926-95b1ff82e960.json +++ b/ics-attack/relationship/relationship--eadb4ca5-ee99-4169-a926-95b1ff82e960.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e5f92321-c74c-4a3b-9949-1f58e80b5e93", + "id": "bundle--ead26001-29a2-4201-a6db-15c713d62424", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--eadb4ca5-ee99-4169-a926-95b1ff82e960", "created": "2023-09-28T20:28:52.768Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:16.718Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--eae674f9-10a2-41e6-9cd3-205af8e69d53.json b/ics-attack/relationship/relationship--eae674f9-10a2-41e6-9cd3-205af8e69d53.json index eb1a3fe4dc..f85ef4fa6c 100644 --- a/ics-attack/relationship/relationship--eae674f9-10a2-41e6-9cd3-205af8e69d53.json +++ b/ics-attack/relationship/relationship--eae674f9-10a2-41e6-9cd3-205af8e69d53.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--553a071d-ade6-4e8d-b919-56f447a28f29", + "id": "bundle--e70f054b-e62b-4a5e-b794-31e7fcc3a031", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--eae674f9-10a2-41e6-9cd3-205af8e69d53", "created": "2023-09-28T20:05:15.314Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:17.058Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--eaeb3c8d-9d91-4eb0-8049-5cb99e141026.json b/ics-attack/relationship/relationship--eaeb3c8d-9d91-4eb0-8049-5cb99e141026.json index 7ca977ce26..db40db9f45 100644 --- a/ics-attack/relationship/relationship--eaeb3c8d-9d91-4eb0-8049-5cb99e141026.json +++ b/ics-attack/relationship/relationship--eaeb3c8d-9d91-4eb0-8049-5cb99e141026.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cb935d6f-8192-4a8a-821c-5b32341bf639", + "id": "bundle--9e0c8615-5f4c-4b56-b384-227d7e75947a", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--eaeb3c8d-9d91-4eb0-8049-5cb99e141026", "created": "2021-10-08T15:25:32.143Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", diff --git a/ics-attack/relationship/relationship--eb171086-88e1-4f24-bd7e-c3f8b3c3283b.json b/ics-attack/relationship/relationship--eb171086-88e1-4f24-bd7e-c3f8b3c3283b.json index 38d9e2ad96..fae415d998 100644 --- a/ics-attack/relationship/relationship--eb171086-88e1-4f24-bd7e-c3f8b3c3283b.json +++ b/ics-attack/relationship/relationship--eb171086-88e1-4f24-bd7e-c3f8b3c3283b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d00141c7-938a-419f-98e0-54c15fde37d1", + "id": "bundle--b09c7483-f5c4-41bd-86f3-cd5023568089", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--eb171086-88e1-4f24-bd7e-c3f8b3c3283b", "created": "2023-09-28T19:44:09.311Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:17.683Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f.json b/ics-attack/relationship/relationship--eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f.json index f7d292adcc..ef8e7118b7 100644 --- a/ics-attack/relationship/relationship--eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f.json +++ b/ics-attack/relationship/relationship--eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4284958a-a071-4217-921c-6437f7e32c84", + "id": "bundle--a1e5327e-f24d-4978-97ed-8c7c7ad33609", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f", "created": "2021-10-08T15:42:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos Inc. June 2017", diff --git a/ics-attack/relationship/relationship--eb5310c6-7500-4b16-8ca7-6678c6232001.json b/ics-attack/relationship/relationship--eb5310c6-7500-4b16-8ca7-6678c6232001.json index b9f00b23a5..d6ef95321b 100644 --- a/ics-attack/relationship/relationship--eb5310c6-7500-4b16-8ca7-6678c6232001.json +++ b/ics-attack/relationship/relationship--eb5310c6-7500-4b16-8ca7-6678c6232001.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--86e455e7-3aff-44c0-80fb-9ca1729dcdde", + "id": "bundle--530def78-eb5d-42c1-811a-2adb3c4d7c2a", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--eb5310c6-7500-4b16-8ca7-6678c6232001", "created": "2023-09-29T19:36:38.824Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:18.076Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", diff --git a/ics-attack/relationship/relationship--3e015dd2-eff3-4955-ba74-388266518579.json b/ics-attack/relationship/relationship--eb54882a-57a0-477f-8a2c-4a18c8d463c7.json similarity index 78% rename from ics-attack/relationship/relationship--3e015dd2-eff3-4955-ba74-388266518579.json rename to ics-attack/relationship/relationship--eb54882a-57a0-477f-8a2c-4a18c8d463c7.json index 6b53cc5976..a3e57d33e0 100644 --- a/ics-attack/relationship/relationship--3e015dd2-eff3-4955-ba74-388266518579.json +++ b/ics-attack/relationship/relationship--eb54882a-57a0-477f-8a2c-4a18c8d463c7.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--c429cdbf-725c-42a2-b2e9-bce1d277cd8b", + "id": "bundle--0a59cd7c-88c7-4ba4-8c89-22ad650de443", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--3e015dd2-eff3-4955-ba74-388266518579", + "id": "relationship--eb54882a-57a0-477f-8a2c-4a18c8d463c7", "created": "2025-09-29T22:05:16.999Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -14,7 +14,7 @@ ], "modified": "2025-09-29T22:05:16.999Z", "relationship_type": "targets", - "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "source_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, diff --git a/ics-attack/relationship/relationship--eb65b30e-53b1-4c27-8841-ee7daec9c33b.json b/ics-attack/relationship/relationship--eb65b30e-53b1-4c27-8841-ee7daec9c33b.json new file mode 100644 index 0000000000..815faa6557 --- /dev/null +++ b/ics-attack/relationship/relationship--eb65b30e-53b1-4c27-8841-ee7daec9c33b.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--c479f813-6167-4995-9c5b-5368a62d7453", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--eb65b30e-53b1-4c27-8841-ee7daec9c33b", + "created": "2026-04-22T16:36:35.229Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:36:35.229Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f951d934-d555-45e9-a564-27b84518cae4.json b/ics-attack/relationship/relationship--eba478bb-7b76-4889-b82c-eda10826ffcb.json similarity index 74% rename from ics-attack/relationship/relationship--f951d934-d555-45e9-a564-27b84518cae4.json rename to ics-attack/relationship/relationship--eba478bb-7b76-4889-b82c-eda10826ffcb.json index ab688e6fb9..4c5d4d5f94 100644 --- a/ics-attack/relationship/relationship--f951d934-d555-45e9-a564-27b84518cae4.json +++ b/ics-attack/relationship/relationship--eba478bb-7b76-4889-b82c-eda10826ffcb.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--7fc85ffa-523e-4573-a84b-1afab213ac76", + "id": "bundle--e7f2b0ae-81d0-4e19-b6d4-4f553102059c", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--f951d934-d555-45e9-a564-27b84518cae4", + "id": "relationship--eba478bb-7b76-4889-b82c-eda10826ffcb", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "target_ref": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ebc34374-2dee-4dc1-b0b7-f31ae94dab11.json b/ics-attack/relationship/relationship--ebc34374-2dee-4dc1-b0b7-f31ae94dab11.json index a9bd5a8cf6..554378bcaf 100644 --- a/ics-attack/relationship/relationship--ebc34374-2dee-4dc1-b0b7-f31ae94dab11.json +++ b/ics-attack/relationship/relationship--ebc34374-2dee-4dc1-b0b7-f31ae94dab11.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e0f22444-6d17-4804-8c01-481311dc41cc", + "id": "bundle--982d6b3e-edf8-40fd-91c2-408157f7232d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ebc9f35c-6f95-4bc0-b8b3-f9b515690fa0.json b/ics-attack/relationship/relationship--ebc9f35c-6f95-4bc0-b8b3-f9b515690fa0.json index e4989eaa72..51a936bfbb 100644 --- a/ics-attack/relationship/relationship--ebc9f35c-6f95-4bc0-b8b3-f9b515690fa0.json +++ b/ics-attack/relationship/relationship--ebc9f35c-6f95-4bc0-b8b3-f9b515690fa0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--70246cdf-55b0-464e-abe9-76ca855e9c92", + "id": "bundle--a7bf3ef6-0037-4ad4-8d09-6e1056a78860", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--ebc9f35c-6f95-4bc0-b8b3-f9b515690fa0", "created": "2023-09-29T17:09:37.977Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:18.505Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", diff --git a/ics-attack/relationship/relationship--ec105f62-2552-41fa-8b07-619dc1bf9b19.json b/ics-attack/relationship/relationship--ec105f62-2552-41fa-8b07-619dc1bf9b19.json index 944e507275..a3ddf4bbdb 100644 --- a/ics-attack/relationship/relationship--ec105f62-2552-41fa-8b07-619dc1bf9b19.json +++ b/ics-attack/relationship/relationship--ec105f62-2552-41fa-8b07-619dc1bf9b19.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0b2f6b86-be61-4ce1-941b-4924a6a23931", + "id": "bundle--2d7fae1e-1b7c-40c3-b46a-504b0ae890e8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ec16db2c-3265-4e0a-88d3-947e198c0a64.json b/ics-attack/relationship/relationship--ec16db2c-3265-4e0a-88d3-947e198c0a64.json new file mode 100644 index 0000000000..61b63a3cdd --- /dev/null +++ b/ics-attack/relationship/relationship--ec16db2c-3265-4e0a-88d3-947e198c0a64.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--a170fa11-feef-4e12-a90d-fac3b4032e65", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ec16db2c-3265-4e0a-88d3-947e198c0a64", + "created": "2026-04-22T20:27:21.792Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:27:21.792Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ec468947-8385-443e-8a1e-fbdebc46df8d.json b/ics-attack/relationship/relationship--ec468947-8385-443e-8a1e-fbdebc46df8d.json new file mode 100644 index 0000000000..973c4cc264 --- /dev/null +++ b/ics-attack/relationship/relationship--ec468947-8385-443e-8a1e-fbdebc46df8d.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--27694af2-6c2a-4470-9a9f-5940f3821778", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ec468947-8385-443e-8a1e-fbdebc46df8d", + "created": "2026-04-22T18:55:48.001Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T18:55:48.001Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ecaf20c0-d881-45b4-98f2-a456e07d3643.json b/ics-attack/relationship/relationship--ecaf20c0-d881-45b4-98f2-a456e07d3643.json index 0b7e81fc32..a27bd63d3c 100644 --- a/ics-attack/relationship/relationship--ecaf20c0-d881-45b4-98f2-a456e07d3643.json +++ b/ics-attack/relationship/relationship--ecaf20c0-d881-45b4-98f2-a456e07d3643.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e0020401-b3da-401b-b949-085f68af2781", + "id": "bundle--59d7f27e-d81b-4112-bd2a-20a097e3f566", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--ecaf20c0-d881-45b4-98f2-a456e07d3643", "created": "2023-09-28T21:25:48.379Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:18.922Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--eccbcd3d-ea6e-4e9d-aa15-7b6e0909b6e0.json b/ics-attack/relationship/relationship--eccbcd3d-ea6e-4e9d-aa15-7b6e0909b6e0.json new file mode 100644 index 0000000000..7b6d792227 --- /dev/null +++ b/ics-attack/relationship/relationship--eccbcd3d-ea6e-4e9d-aa15-7b6e0909b6e0.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--350f89b1-325c-4c74-b34c-becce158bf67", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--eccbcd3d-ea6e-4e9d-aa15-7b6e0909b6e0", + "created": "2026-04-22T13:56:15.092Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:39:04.566Z", + "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ecf39e19-439f-4e9a-97c2-673ce4eb0a1a.json b/ics-attack/relationship/relationship--ecf39e19-439f-4e9a-97c2-673ce4eb0a1a.json index 79c14cb14c..a4256be0dc 100644 --- a/ics-attack/relationship/relationship--ecf39e19-439f-4e9a-97c2-673ce4eb0a1a.json +++ b/ics-attack/relationship/relationship--ecf39e19-439f-4e9a-97c2-673ce4eb0a1a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0add7d38-226c-494c-98dc-76d0522ad36a", + "id": "bundle--01afd72a-4556-450d-9947-9d6e5994ee19", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ed095993-bc85-431e-9621-437143f16d44.json b/ics-attack/relationship/relationship--ed095993-bc85-431e-9621-437143f16d44.json index 4481b85286..5fda6e405b 100644 --- a/ics-attack/relationship/relationship--ed095993-bc85-431e-9621-437143f16d44.json +++ b/ics-attack/relationship/relationship--ed095993-bc85-431e-9621-437143f16d44.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c91e0c08-7376-4011-abec-aae602aa4dbb", + "id": "bundle--d2273550-5da9-462c-aa2f-d054716005cd", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--ed095993-bc85-431e-9621-437143f16d44", "created": "2023-09-29T17:44:09.285Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:19.379Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--ed3ce006-cf41-46f6-bd86-054314c130dc.json b/ics-attack/relationship/relationship--ed3ce006-cf41-46f6-bd86-054314c130dc.json index 594e7882f9..3f0c2cb393 100644 --- a/ics-attack/relationship/relationship--ed3ce006-cf41-46f6-bd86-054314c130dc.json +++ b/ics-attack/relationship/relationship--ed3ce006-cf41-46f6-bd86-054314c130dc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a4d705d0-771a-4e88-a70b-6ceba5cbd694", + "id": "bundle--baa806ee-c64c-4aab-8000-c1060ccb7167", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--ed3ce006-cf41-46f6-bd86-054314c130dc", "created": "2023-09-28T21:15:57.120Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:19.565Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--ed3ef546-566a-46c7-918e-7bfa10d05991.json b/ics-attack/relationship/relationship--ed3ef546-566a-46c7-918e-7bfa10d05991.json index 186f45a2ac..6245698a92 100644 --- a/ics-attack/relationship/relationship--ed3ef546-566a-46c7-918e-7bfa10d05991.json +++ b/ics-attack/relationship/relationship--ed3ef546-566a-46c7-918e-7bfa10d05991.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8abc562e-e937-42f3-954c-3e0c8378a9e3", + "id": "bundle--66375813-73e6-4fd3-ac4c-aad45baee544", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--ed3ef546-566a-46c7-918e-7bfa10d05991", "created": "2023-09-29T17:06:47.370Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:19.779Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", diff --git a/ics-attack/relationship/relationship--ed66e087-8877-4146-a16a-44cfd144a3d8.json b/ics-attack/relationship/relationship--ed66e087-8877-4146-a16a-44cfd144a3d8.json index 8fafef32af..0fb06554d8 100644 --- a/ics-attack/relationship/relationship--ed66e087-8877-4146-a16a-44cfd144a3d8.json +++ b/ics-attack/relationship/relationship--ed66e087-8877-4146-a16a-44cfd144a3d8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--afd48ddd-0240-45da-8dc6-869fb693f346", + "id": "bundle--db80be7b-d732-43f6-b1aa-3cb3f7f8676b", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--ed66e087-8877-4146-a16a-44cfd144a3d8", "created": "2023-09-29T17:07:00.450Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:19.992Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", diff --git a/ics-attack/relationship/relationship--edaa6f5c-1b59-4ecb-a20f-716a61cdaccb.json b/ics-attack/relationship/relationship--edaa6f5c-1b59-4ecb-a20f-716a61cdaccb.json index f8e21d3fbf..ae678715ad 100644 --- a/ics-attack/relationship/relationship--edaa6f5c-1b59-4ecb-a20f-716a61cdaccb.json +++ b/ics-attack/relationship/relationship--edaa6f5c-1b59-4ecb-a20f-716a61cdaccb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d00babef-acfa-4d06-9b69-6a44a7f61edb", + "id": "bundle--a7d209e6-36b4-4ce3-8182-2414089ebdd4", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--edaa6f5c-1b59-4ecb-a20f-716a61cdaccb", "created": "2023-09-29T16:39:29.206Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:20.412Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--edb0495d-5faf-40be-92e2-fcf0c0b25157.json b/ics-attack/relationship/relationship--edb0495d-5faf-40be-92e2-fcf0c0b25157.json new file mode 100644 index 0000000000..65960d9b75 --- /dev/null +++ b/ics-attack/relationship/relationship--edb0495d-5faf-40be-92e2-fcf0c0b25157.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--21c03a1b-b804-4945-9a42-9800e0a3e966", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--edb0495d-5faf-40be-92e2-fcf0c0b25157", + "created": "2026-04-22T21:37:30.373Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:37:30.373Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--edccbe1f-a07a-405e-9b9a-b247ce3dcc9b.json b/ics-attack/relationship/relationship--edccbe1f-a07a-405e-9b9a-b247ce3dcc9b.json index 09726fdd8f..733cf4b965 100644 --- a/ics-attack/relationship/relationship--edccbe1f-a07a-405e-9b9a-b247ce3dcc9b.json +++ b/ics-attack/relationship/relationship--edccbe1f-a07a-405e-9b9a-b247ce3dcc9b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e63d8849-e153-4c90-96df-3d53de057466", + "id": "bundle--1208259d-2bab-414c-a7c4-f4be789f4fed", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--edccbe1f-a07a-405e-9b9a-b247ce3dcc9b", "created": "2023-09-29T17:58:54.996Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:20.853Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--ede2b798-2f39-419e-a7d3-8f0c733af4c1.json b/ics-attack/relationship/relationship--ede2b798-2f39-419e-a7d3-8f0c733af4c1.json index ae3e8c5fc9..17e9e2757a 100644 --- a/ics-attack/relationship/relationship--ede2b798-2f39-419e-a7d3-8f0c733af4c1.json +++ b/ics-attack/relationship/relationship--ede2b798-2f39-419e-a7d3-8f0c733af4c1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f3c24da5-a659-45f4-82fb-058787f0d1f4", + "id": "bundle--d68e0578-a2e4-4477-92fe-4eb49267ad01", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--ede2b798-2f39-419e-a7d3-8f0c733af4c1", "created": "2023-09-28T21:12:00.004Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:21.055Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--ede5f716-52cd-4833-b092-5938262cd20b.json b/ics-attack/relationship/relationship--ede5f716-52cd-4833-b092-5938262cd20b.json index 7aa33b160a..a7e4fa40ee 100644 --- a/ics-attack/relationship/relationship--ede5f716-52cd-4833-b092-5938262cd20b.json +++ b/ics-attack/relationship/relationship--ede5f716-52cd-4833-b092-5938262cd20b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--64605f09-7eb3-4d5b-abe6-8f7b32466ff6", + "id": "bundle--cd2ccf6d-4793-430b-9f98-529189609d69", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--ede5f716-52cd-4833-b092-5938262cd20b", "created": "2025-09-29T19:08:08.900Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--edf73653-b2d7-422f-b433-b6a428ff12d4.json b/ics-attack/relationship/relationship--edf73653-b2d7-422f-b433-b6a428ff12d4.json index 5678c0bdac..1d05c4ffb2 100644 --- a/ics-attack/relationship/relationship--edf73653-b2d7-422f-b433-b6a428ff12d4.json +++ b/ics-attack/relationship/relationship--edf73653-b2d7-422f-b433-b6a428ff12d4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f8f28e51-7815-4509-bb5e-6daabc01c429", + "id": "bundle--a2048830-3197-4d27-9c1c-0dcffbd59b00", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--edf73653-b2d7-422f-b433-b6a428ff12d4", "created": "2017-05-31T21:33:27.074Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017", diff --git a/ics-attack/relationship/relationship--ee09658b-e384-4693-9318-b1e5d4a2e78a.json b/ics-attack/relationship/relationship--ee09658b-e384-4693-9318-b1e5d4a2e78a.json new file mode 100644 index 0000000000..d0cb4a2d3d --- /dev/null +++ b/ics-attack/relationship/relationship--ee09658b-e384-4693-9318-b1e5d4a2e78a.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--e70d0695-950d-4e63-9142-3b74587b5a67", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ee09658b-e384-4693-9318-b1e5d4a2e78a", + "created": "2026-04-22T19:55:57.376Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:21:52.926Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries gained initial access to the operational technology via the compromised Fortinet edge devices, and used used SSH, RDP, and SMB/Windows Admin Shares to connect to remote systems and execute commands.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ee1bf429-2c7c-4eb6-acca-e758522baf2e.json b/ics-attack/relationship/relationship--ee1bf429-2c7c-4eb6-acca-e758522baf2e.json index 976189b265..0454602e7f 100644 --- a/ics-attack/relationship/relationship--ee1bf429-2c7c-4eb6-acca-e758522baf2e.json +++ b/ics-attack/relationship/relationship--ee1bf429-2c7c-4eb6-acca-e758522baf2e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6cc0f63a-8f6a-4d99-971e-b0b8d9723e81", + "id": "bundle--97fbd284-ce82-4324-a164-08db511dc211", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--ee1bf429-2c7c-4eb6-acca-e758522baf2e", "created": "2021-04-12T18:49:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Tom Fakterman August 2019", diff --git a/ics-attack/relationship/relationship--ee2fdebd-1587-4e53-a7d7-c15fcc88879d.json b/ics-attack/relationship/relationship--ee2fdebd-1587-4e53-a7d7-c15fcc88879d.json index 9b09b9070f..7c900d7551 100644 --- a/ics-attack/relationship/relationship--ee2fdebd-1587-4e53-a7d7-c15fcc88879d.json +++ b/ics-attack/relationship/relationship--ee2fdebd-1587-4e53-a7d7-c15fcc88879d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--41d9433e-a0da-4cfa-935b-e522d798278f", + "id": "bundle--5fc69b68-3128-4b29-b9c9-3eb1316108ae", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--ee2fdebd-1587-4e53-a7d7-c15fcc88879d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", diff --git a/ics-attack/relationship/relationship--ee538956-6abf-4884-bbfa-16839f6c7d63.json b/ics-attack/relationship/relationship--ee538956-6abf-4884-bbfa-16839f6c7d63.json index b276b9e0d4..82bb5fbed5 100644 --- a/ics-attack/relationship/relationship--ee538956-6abf-4884-bbfa-16839f6c7d63.json +++ b/ics-attack/relationship/relationship--ee538956-6abf-4884-bbfa-16839f6c7d63.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8306efb6-1671-450a-af99-73118c15f96e", + "id": "bundle--c80012e4-a26c-44d4-a60d-30a0c8acc14f", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--ee538956-6abf-4884-bbfa-16839f6c7d63", "created": "2025-09-29T19:03:09.092Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--ee72cc27-2e78-47c4-8786-1351f9bcee97.json b/ics-attack/relationship/relationship--ee72cc27-2e78-47c4-8786-1351f9bcee97.json index e4505d8dc6..7050c4b455 100644 --- a/ics-attack/relationship/relationship--ee72cc27-2e78-47c4-8786-1351f9bcee97.json +++ b/ics-attack/relationship/relationship--ee72cc27-2e78-47c4-8786-1351f9bcee97.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--356d3a33-5798-4ebf-8751-7d59b9667029", + "id": "bundle--baf3c4f0-88f4-439e-ad20-971757ba7f52", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--ee72cc27-2e78-47c4-8786-1351f9bcee97", "created": "2023-09-28T20:05:33.450Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:22.308Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--ee89466e-0655-4217-844d-fb8ea4f76247.json b/ics-attack/relationship/relationship--ee89466e-0655-4217-844d-fb8ea4f76247.json index da65debc92..df8c2ef7cc 100644 --- a/ics-attack/relationship/relationship--ee89466e-0655-4217-844d-fb8ea4f76247.json +++ b/ics-attack/relationship/relationship--ee89466e-0655-4217-844d-fb8ea4f76247.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c237200b-7ec9-4098-8ffe-8eb4ae369b8f", + "id": "bundle--f09caac9-ffe6-40af-8b46-82d8d3a19017", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--eebae2f3-aaa1-4410-8b75-db5bdac1d4d6.json b/ics-attack/relationship/relationship--eebae2f3-aaa1-4410-8b75-db5bdac1d4d6.json index 4b38d84e5f..1aa29c1e41 100644 --- a/ics-attack/relationship/relationship--eebae2f3-aaa1-4410-8b75-db5bdac1d4d6.json +++ b/ics-attack/relationship/relationship--eebae2f3-aaa1-4410-8b75-db5bdac1d4d6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dbcbd82d-6b61-4e0f-b024-3b47ff4c79e3", + "id": "bundle--7b8a6587-de5c-41ed-b1e0-d388d9645f5b", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--eebae2f3-aaa1-4410-8b75-db5bdac1d4d6", "created": "2023-09-28T20:04:07.868Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:22.759Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--eecca3e7-4db5-40d4-b04c-13f84701acb3.json b/ics-attack/relationship/relationship--eecca3e7-4db5-40d4-b04c-13f84701acb3.json index 69b555fe6a..e50c80d7a1 100644 --- a/ics-attack/relationship/relationship--eecca3e7-4db5-40d4-b04c-13f84701acb3.json +++ b/ics-attack/relationship/relationship--eecca3e7-4db5-40d4-b04c-13f84701acb3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5e25da0b-cef6-4c71-9e07-b62873bfa248", + "id": "bundle--3aeb6eb1-4932-463a-8306-a2a8e789b3b3", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--eecca3e7-4db5-40d4-b04c-13f84701acb3", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Department of Homeland Security October 2009", diff --git a/ics-attack/relationship/relationship--7d6c4a00-acde-40af-bf91-a4ef009cf135.json b/ics-attack/relationship/relationship--eed98f8e-3eb9-4238-9acf-c2a0be136e87.json similarity index 81% rename from ics-attack/relationship/relationship--7d6c4a00-acde-40af-bf91-a4ef009cf135.json rename to ics-attack/relationship/relationship--eed98f8e-3eb9-4238-9acf-c2a0be136e87.json index 6f14ded193..42104f0c42 100644 --- a/ics-attack/relationship/relationship--7d6c4a00-acde-40af-bf91-a4ef009cf135.json +++ b/ics-attack/relationship/relationship--eed98f8e-3eb9-4238-9acf-c2a0be136e87.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--d9b965f5-601d-4ad1-b177-f75e0de59549", + "id": "bundle--79d7099e-44c9-4d89-adc9-a5e44176c086", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--7d6c4a00-acde-40af-bf91-a4ef009cf135", + "id": "relationship--eed98f8e-3eb9-4238-9acf-c2a0be136e87", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -16,10 +16,10 @@ "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", "relationship_type": "mitigates", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4.json b/ics-attack/relationship/relationship--eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4.json index c511e6a4ec..ecf63b0664 100644 --- a/ics-attack/relationship/relationship--eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4.json +++ b/ics-attack/relationship/relationship--eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--12cefe5b-cb4b-4517-86c4-ffc19807caba", + "id": "bundle--f3644179-080c-4a91-818e-1fba32475674", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--eeeb83cb-0a8a-412b-aae2-aede7c43d8e8.json b/ics-attack/relationship/relationship--eeeb83cb-0a8a-412b-aae2-aede7c43d8e8.json index 9d528ac08a..34183da1fa 100644 --- a/ics-attack/relationship/relationship--eeeb83cb-0a8a-412b-aae2-aede7c43d8e8.json +++ b/ics-attack/relationship/relationship--eeeb83cb-0a8a-412b-aae2-aede7c43d8e8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6fa4028f-6212-412b-90bc-9f0cc1cc26b1", + "id": "bundle--e1020173-a2b6-47b0-8249-189d9b3cc3fc", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--eeeb83cb-0a8a-412b-aae2-aede7c43d8e8", "created": "2023-09-28T21:11:45.241Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:23.369Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--eeed6b2a-093b-478d-8d20-4ecf0b458bee.json b/ics-attack/relationship/relationship--eeed6b2a-093b-478d-8d20-4ecf0b458bee.json index ea7a16a863..2c2ce68d83 100644 --- a/ics-attack/relationship/relationship--eeed6b2a-093b-478d-8d20-4ecf0b458bee.json +++ b/ics-attack/relationship/relationship--eeed6b2a-093b-478d-8d20-4ecf0b458bee.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--db9e49bd-f713-47db-a4fd-0fa7ddf36bf4", + "id": "bundle--dbda6675-b17e-4a24-8ef8-b20b8c094d92", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--eeed6b2a-093b-478d-8d20-4ecf0b458bee", "created": "2025-09-24T17:57:18.102Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--eeeff03f-7436-4f76-8591-42075e6647d4.json b/ics-attack/relationship/relationship--eeeff03f-7436-4f76-8591-42075e6647d4.json index 56be6d1a8a..a7706d1be5 100644 --- a/ics-attack/relationship/relationship--eeeff03f-7436-4f76-8591-42075e6647d4.json +++ b/ics-attack/relationship/relationship--eeeff03f-7436-4f76-8591-42075e6647d4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ad7a3054-7e12-4e56-86a0-e0f3a328d4ed", + "id": "bundle--3835ef0f-6939-41c9-911f-0f65a60ab312", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ef60735b-c64b-465c-9e5f-46a4d3a49fb3.json b/ics-attack/relationship/relationship--ef60735b-c64b-465c-9e5f-46a4d3a49fb3.json index a390f30431..be127d8a3a 100644 --- a/ics-attack/relationship/relationship--ef60735b-c64b-465c-9e5f-46a4d3a49fb3.json +++ b/ics-attack/relationship/relationship--ef60735b-c64b-465c-9e5f-46a4d3a49fb3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--91185b1f-e3cf-4736-89e2-d4954c93a9ff", + "id": "bundle--d0c796d4-350f-4588-b3fb-f4a29eacd68d", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--ef60735b-c64b-465c-9e5f-46a4d3a49fb3", "created": "2023-09-28T19:54:48.577Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:23.790Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--ef615d62-fe85-4740-9c5d-5dddff9b5693.json b/ics-attack/relationship/relationship--ef615d62-fe85-4740-9c5d-5dddff9b5693.json index 0aa2ea8a2e..edf1ec52b6 100644 --- a/ics-attack/relationship/relationship--ef615d62-fe85-4740-9c5d-5dddff9b5693.json +++ b/ics-attack/relationship/relationship--ef615d62-fe85-4740-9c5d-5dddff9b5693.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4124076d-2026-4ad5-93ce-b937da4e60f5", + "id": "bundle--88c7434a-08d5-4bd2-94e7-b9ffeafad153", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--ef615d62-fe85-4740-9c5d-5dddff9b5693", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Symantec Security Response July 2014", diff --git a/ics-attack/relationship/relationship--efb80069-e4be-4055-bd34-06d1376b4601.json b/ics-attack/relationship/relationship--efb80069-e4be-4055-bd34-06d1376b4601.json index efddaf282e..9acf51c412 100644 --- a/ics-attack/relationship/relationship--efb80069-e4be-4055-bd34-06d1376b4601.json +++ b/ics-attack/relationship/relationship--efb80069-e4be-4055-bd34-06d1376b4601.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--93ceb076-f266-4990-876e-8cdb4331ab0c", + "id": "bundle--1306d6fd-777a-46f6-ae95-4e0e1ead406b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--efc4eb1c-f254-41a5-976c-31a39f3b35f6.json b/ics-attack/relationship/relationship--efc4eb1c-f254-41a5-976c-31a39f3b35f6.json new file mode 100644 index 0000000000..218a2c0bc4 --- /dev/null +++ b/ics-attack/relationship/relationship--efc4eb1c-f254-41a5-976c-31a39f3b35f6.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--16d2351d-5371-422c-9afa-83e63cead1ad", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--efc4eb1c-f254-41a5-976c-31a39f3b35f6", + "created": "2026-04-22T22:48:50.957Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T22:48:50.957Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--efece3a8-02ba-45da-828e-383d31631c62.json b/ics-attack/relationship/relationship--efece3a8-02ba-45da-828e-383d31631c62.json new file mode 100644 index 0000000000..cdf4073c75 --- /dev/null +++ b/ics-attack/relationship/relationship--efece3a8-02ba-45da-828e-383d31631c62.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--5afde801-31fc-4f40-a1be-0544fb3ea6c6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--efece3a8-02ba-45da-828e-383d31631c62", + "created": "2026-04-23T00:02:13.794Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:02:13.794Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--eff95bb0-9681-47a6-a83d-efeb39328217.json b/ics-attack/relationship/relationship--eff95bb0-9681-47a6-a83d-efeb39328217.json new file mode 100644 index 0000000000..284077f8e6 --- /dev/null +++ b/ics-attack/relationship/relationship--eff95bb0-9681-47a6-a83d-efeb39328217.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--e6cb17b2-4e96-4cfe-be9d-4ae4b312736c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--eff95bb0-9681-47a6-a83d-efeb39328217", + "created": "2026-04-22T18:59:27.057Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T18:59:27.057Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--bb553fda-8355-40bc-87c6-5ae25124fa95", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--efface85-ce65-400f-8632-cb188cc08bcf.json b/ics-attack/relationship/relationship--efface85-ce65-400f-8632-cb188cc08bcf.json index da65144a86..f6f2cac4d5 100644 --- a/ics-attack/relationship/relationship--efface85-ce65-400f-8632-cb188cc08bcf.json +++ b/ics-attack/relationship/relationship--efface85-ce65-400f-8632-cb188cc08bcf.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--084b8310-421c-4d47-a3c2-b1ced8353e9f", + "id": "bundle--5bae7ec9-5eb8-4bd2-8a16-485cb5651a58", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--efface85-ce65-400f-8632-cb188cc08bcf", "created": "2025-09-29T19:11:45.227Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--f043ed4b-f304-44c4-8bf5-5a96ffeb97cd.json b/ics-attack/relationship/relationship--f043ed4b-f304-44c4-8bf5-5a96ffeb97cd.json new file mode 100644 index 0000000000..64dcaaa687 --- /dev/null +++ b/ics-attack/relationship/relationship--f043ed4b-f304-44c4-8bf5-5a96ffeb97cd.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--891ae0dc-85b2-478d-b543-03b8f22c34a7", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f043ed4b-f304-44c4-8bf5-5a96ffeb97cd", + "created": "2026-04-22T20:40:50.871Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:40:50.871Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f05a2592-00f9-4f1f-ba55-395af5444b96.json b/ics-attack/relationship/relationship--f05a2592-00f9-4f1f-ba55-395af5444b96.json index 303bf582a3..c7cdd1e573 100644 --- a/ics-attack/relationship/relationship--f05a2592-00f9-4f1f-ba55-395af5444b96.json +++ b/ics-attack/relationship/relationship--f05a2592-00f9-4f1f-ba55-395af5444b96.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0b0eb36f-9001-4ea8-a749-78a7693c7c55", + "id": "bundle--331fc120-a4c9-46a9-892d-27e6a200cdbd", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--f05a2592-00f9-4f1f-ba55-395af5444b96", "created": "2023-09-29T17:42:29.179Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:24.632Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--f08d487a-7837-48f9-9301-fe0f9f144c92.json b/ics-attack/relationship/relationship--f08d487a-7837-48f9-9301-fe0f9f144c92.json index b93c5580e7..8a7bb4228d 100644 --- a/ics-attack/relationship/relationship--f08d487a-7837-48f9-9301-fe0f9f144c92.json +++ b/ics-attack/relationship/relationship--f08d487a-7837-48f9-9301-fe0f9f144c92.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ee83d9a0-d3fa-4943-8b32-4df652da6650", + "id": "bundle--bb93f13b-2344-4b2a-97f1-74494d354481", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--f08d487a-7837-48f9-9301-fe0f9f144c92", "created": "2023-09-28T20:31:04.691Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:24.852Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962.json b/ics-attack/relationship/relationship--f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962.json index 2ef8f60d84..c5d1c7f3e6 100644 --- a/ics-attack/relationship/relationship--f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962.json +++ b/ics-attack/relationship/relationship--f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--caa88374-2c9b-4027-a081-c23ef27b6269", + "id": "bundle--1030a3cf-01c4-4279-8557-9cf760d90129", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", diff --git a/ics-attack/relationship/relationship--f0c8a954-c1a0-453a-9c1d-484305abdab2.json b/ics-attack/relationship/relationship--f0c8a954-c1a0-453a-9c1d-484305abdab2.json index 8cac6ca7c7..1ebb60a3d4 100644 --- a/ics-attack/relationship/relationship--f0c8a954-c1a0-453a-9c1d-484305abdab2.json +++ b/ics-attack/relationship/relationship--f0c8a954-c1a0-453a-9c1d-484305abdab2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bf871021-79ff-4f62-a8e7-ecf4a9e042c0", + "id": "bundle--892ccdbb-ce56-4a01-a4f2-9e83050a3501", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f0d4d23c-2c8c-4731-9b81-7c86fed25b5d.json b/ics-attack/relationship/relationship--f0d4d23c-2c8c-4731-9b81-7c86fed25b5d.json index bd902eaae5..adbd823261 100644 --- a/ics-attack/relationship/relationship--f0d4d23c-2c8c-4731-9b81-7c86fed25b5d.json +++ b/ics-attack/relationship/relationship--f0d4d23c-2c8c-4731-9b81-7c86fed25b5d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--61058c10-5904-4228-b342-1fe565d623c4", + "id": "bundle--d65ea2d8-76c4-4a46-9a67-49ba1775c2a0", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--f0d4d23c-2c8c-4731-9b81-7c86fed25b5d", "created": "2023-09-29T18:45:34.258Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:25.709Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--f130282b-f681-455f-966b-55829842be92.json b/ics-attack/relationship/relationship--f130282b-f681-455f-966b-55829842be92.json index 664fd72a30..55fdd0a340 100644 --- a/ics-attack/relationship/relationship--f130282b-f681-455f-966b-55829842be92.json +++ b/ics-attack/relationship/relationship--f130282b-f681-455f-966b-55829842be92.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e5e89e67-b270-44f0-85e5-43c0d7e8687c", + "id": "bundle--70f8f88d-218e-4d21-834e-516af2c7c2ce", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--f130282b-f681-455f-966b-55829842be92", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Langer Stuxnet", diff --git a/ics-attack/relationship/relationship--f13dac1a-090b-40c6-9093-eb4abe0deba8.json b/ics-attack/relationship/relationship--f13dac1a-090b-40c6-9093-eb4abe0deba8.json index 01ed2d4868..2c585f8666 100644 --- a/ics-attack/relationship/relationship--f13dac1a-090b-40c6-9093-eb4abe0deba8.json +++ b/ics-attack/relationship/relationship--f13dac1a-090b-40c6-9093-eb4abe0deba8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4a832f31-0be1-443b-9907-450fb18dc88b", + "id": "bundle--072d04e1-d4b6-4732-bf13-b0093a64b534", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--f13dac1a-090b-40c6-9093-eb4abe0deba8", "created": "2023-09-28T21:24:22.815Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:26.315Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--f14d1558-79b9-4fe4-8329-d26b19ef4ef8.json b/ics-attack/relationship/relationship--f14d1558-79b9-4fe4-8329-d26b19ef4ef8.json index 3f6279b931..51ce229fb9 100644 --- a/ics-attack/relationship/relationship--f14d1558-79b9-4fe4-8329-d26b19ef4ef8.json +++ b/ics-attack/relationship/relationship--f14d1558-79b9-4fe4-8329-d26b19ef4ef8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--147009ba-bd12-4a94-b116-039f2c7d8ad5", + "id": "bundle--2c085493-9c63-4e64-9fb3-6dfb33f20291", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--3ea60ac7-87a3-4033-9089-258941d8388a", "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", diff --git a/ics-attack/relationship/relationship--f15f24d2-e581-46ce-83e4-a924f572aae6.json b/ics-attack/relationship/relationship--f15f24d2-e581-46ce-83e4-a924f572aae6.json index f38e9cd59c..425c65e905 100644 --- a/ics-attack/relationship/relationship--f15f24d2-e581-46ce-83e4-a924f572aae6.json +++ b/ics-attack/relationship/relationship--f15f24d2-e581-46ce-83e4-a924f572aae6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a151c728-db06-489e-a6d3-aef4a8c76577", + "id": "bundle--dc225b3c-a6e3-428e-834c-e514e0aeb7ad", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f1745073-e18e-4d62-b439-1afb1ec472c9.json b/ics-attack/relationship/relationship--f1745073-e18e-4d62-b439-1afb1ec472c9.json new file mode 100644 index 0000000000..cb395d2aab --- /dev/null +++ b/ics-attack/relationship/relationship--f1745073-e18e-4d62-b439-1afb1ec472c9.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--dfcb2a8e-0f8b-4f83-bd39-6a7c7366f9c7", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f1745073-e18e-4d62-b439-1afb1ec472c9", + "created": "2026-04-22T13:28:16.417Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T13:28:16.417Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f1c35b0c-c465-4f20-801a-b9b1fb088d94.json b/ics-attack/relationship/relationship--f1c35b0c-c465-4f20-801a-b9b1fb088d94.json new file mode 100644 index 0000000000..071762927d --- /dev/null +++ b/ics-attack/relationship/relationship--f1c35b0c-c465-4f20-801a-b9b1fb088d94.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--1ac67af3-d839-4961-b4f4-f6333588faae", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f1c35b0c-c465-4f20-801a-b9b1fb088d94", + "created": "2026-04-22T18:58:07.201Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T18:58:07.201Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f1edb034-6dc6-4d6c-8f75-e2cd12213704.json b/ics-attack/relationship/relationship--f1edb034-6dc6-4d6c-8f75-e2cd12213704.json index 9e1bad8098..df78b4b113 100644 --- a/ics-attack/relationship/relationship--f1edb034-6dc6-4d6c-8f75-e2cd12213704.json +++ b/ics-attack/relationship/relationship--f1edb034-6dc6-4d6c-8f75-e2cd12213704.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ac1e4192-eee4-44fa-a59f-af8ad21d834b", + "id": "bundle--6576ecaa-2ab7-4479-92c9-5b6d9fa6b73a", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--f1edb034-6dc6-4d6c-8f75-e2cd12213704", "created": "2023-09-29T17:07:38.219Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:27.174Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", diff --git a/ics-attack/relationship/relationship--f20d8eed-b517-4297-b32a-9a5e0845de9f.json b/ics-attack/relationship/relationship--f20d8eed-b517-4297-b32a-9a5e0845de9f.json index 9c49fd9b5b..d56434d6f9 100644 --- a/ics-attack/relationship/relationship--f20d8eed-b517-4297-b32a-9a5e0845de9f.json +++ b/ics-attack/relationship/relationship--f20d8eed-b517-4297-b32a-9a5e0845de9f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cda775a5-41fc-4bcd-8a68-fd4f7b4092d0", + "id": "bundle--4799d633-4442-485b-9af5-80a9dad408bf", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f25c2744-e08f-4ea2-83c3-46a517ba4f4d.json b/ics-attack/relationship/relationship--f25c2744-e08f-4ea2-83c3-46a517ba4f4d.json index bdf4fafff0..3bffeefc30 100644 --- a/ics-attack/relationship/relationship--f25c2744-e08f-4ea2-83c3-46a517ba4f4d.json +++ b/ics-attack/relationship/relationship--f25c2744-e08f-4ea2-83c3-46a517ba4f4d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--47941b5c-d582-46e9-a2d5-6babc6dd3521", + "id": "bundle--14025773-1ea8-4d81-b1b2-c628182ee934", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--f25c2744-e08f-4ea2-83c3-46a517ba4f4d", "created": "2025-09-29T19:09:04.156Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--f29ecf69-1753-44bb-9b80-1025f49cadda.json b/ics-attack/relationship/relationship--f29ecf69-1753-44bb-9b80-1025f49cadda.json index 964aa74509..c6f1326117 100644 --- a/ics-attack/relationship/relationship--f29ecf69-1753-44bb-9b80-1025f49cadda.json +++ b/ics-attack/relationship/relationship--f29ecf69-1753-44bb-9b80-1025f49cadda.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fc02c2fc-4ac5-4859-a16f-dc40bcb50fe1", + "id": "bundle--54683a06-29a7-41d1-8476-874a173cc446", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--f29ecf69-1753-44bb-9b80-1025f49cadda", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", diff --git a/ics-attack/relationship/relationship--f3178f64-d0e9-4cd0-84a4-0b28c0fde4bc.json b/ics-attack/relationship/relationship--f3178f64-d0e9-4cd0-84a4-0b28c0fde4bc.json new file mode 100644 index 0000000000..09a02e0e5c --- /dev/null +++ b/ics-attack/relationship/relationship--f3178f64-d0e9-4cd0-84a4-0b28c0fde4bc.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--8f18f4a3-f5b3-408e-86c9-676b6c5ed5ad", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f3178f64-d0e9-4cd0-84a4-0b28c0fde4bc", + "created": "2026-04-22T16:41:35.915Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:41:35.915Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f347b4fe-d829-427d-851a-fff3393441db.json b/ics-attack/relationship/relationship--f347b4fe-d829-427d-851a-fff3393441db.json index 1ec3f2c247..eb253b1e95 100644 --- a/ics-attack/relationship/relationship--f347b4fe-d829-427d-851a-fff3393441db.json +++ b/ics-attack/relationship/relationship--f347b4fe-d829-427d-851a-fff3393441db.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--316cd032-581b-4700-a7a8-359d9bcb4793", + "id": "bundle--39523ea4-7bc3-4a57-8d56-101ed690619f", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--f347b4fe-d829-427d-851a-fff3393441db", "created": "2021-04-12T07:57:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Joe Slowik August 2019", diff --git a/ics-attack/relationship/relationship--f353e8ec-0766-4fbd-86b7-9ea06b52958b.json b/ics-attack/relationship/relationship--f353e8ec-0766-4fbd-86b7-9ea06b52958b.json index dba08ed3be..657df5cb23 100644 --- a/ics-attack/relationship/relationship--f353e8ec-0766-4fbd-86b7-9ea06b52958b.json +++ b/ics-attack/relationship/relationship--f353e8ec-0766-4fbd-86b7-9ea06b52958b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--352d4229-f84f-4d8d-9db0-36bcebbb7df7", + "id": "bundle--1e35fd1f-1f9c-4c10-b033-c25d0f63ad65", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--f353e8ec-0766-4fbd-86b7-9ea06b52958b", "created": "2023-09-28T21:23:51.038Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:28.414Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--f3dbd66f-cfdb-488e-924f-a5cdc27d3a11.json b/ics-attack/relationship/relationship--f3dbd66f-cfdb-488e-924f-a5cdc27d3a11.json new file mode 100644 index 0000000000..aa8b0a5985 --- /dev/null +++ b/ics-attack/relationship/relationship--f3dbd66f-cfdb-488e-924f-a5cdc27d3a11.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--3cfe4578-2fca-4dc2-8376-be631c303383", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f3dbd66f-cfdb-488e-924f-a5cdc27d3a11", + "created": "2026-04-22T21:40:49.547Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:40:49.547Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f3fab39f-864a-458a-b7dd-9ed38cfaa0e1.json b/ics-attack/relationship/relationship--f3fab39f-864a-458a-b7dd-9ed38cfaa0e1.json new file mode 100644 index 0000000000..160b2d4ed6 --- /dev/null +++ b/ics-attack/relationship/relationship--f3fab39f-864a-458a-b7dd-9ed38cfaa0e1.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--518c14dc-7cb4-4b92-9887-62a3c3fa8fa0", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f3fab39f-864a-458a-b7dd-9ed38cfaa0e1", + "created": "2026-04-22T13:54:59.989Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T13:54:59.989Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48.json b/ics-attack/relationship/relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48.json index e952acfda2..a5e4cac58e 100644 --- a/ics-attack/relationship/relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48.json +++ b/ics-attack/relationship/relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f6485543-bb16-4607-966f-cb4048aab1a4", + "id": "bundle--d0cf614c-35a0-48a8-873f-487789a5511e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f448969e-217d-4946-bede-6c85dc1b123f.json b/ics-attack/relationship/relationship--f448969e-217d-4946-bede-6c85dc1b123f.json index 165fbcee41..2cff2f010c 100644 --- a/ics-attack/relationship/relationship--f448969e-217d-4946-bede-6c85dc1b123f.json +++ b/ics-attack/relationship/relationship--f448969e-217d-4946-bede-6c85dc1b123f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--853299d2-2ef5-45f3-a916-66b9ec9e310b", + "id": "bundle--e713c2a3-bdb3-4645-95d8-d373d611401b", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--f448969e-217d-4946-bede-6c85dc1b123f", "created": "2025-09-29T19:48:41.376Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--f45c2df8-30e7-45d0-8067-7b2870767574.json b/ics-attack/relationship/relationship--f45c2df8-30e7-45d0-8067-7b2870767574.json index 5ec422fa1a..ec42c09783 100644 --- a/ics-attack/relationship/relationship--f45c2df8-30e7-45d0-8067-7b2870767574.json +++ b/ics-attack/relationship/relationship--f45c2df8-30e7-45d0-8067-7b2870767574.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--db58a747-6eb0-4d8f-bf65-a241a0a33d3f", + "id": "bundle--29e60269-6d39-4849-88b4-3442ad2dd842", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--f45c2df8-30e7-45d0-8067-7b2870767574", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--f497fd3e-8f05-4db2-97cc-48a8d35a8827.json b/ics-attack/relationship/relationship--f497fd3e-8f05-4db2-97cc-48a8d35a8827.json index 9ce6ac4a9f..8e32a9f96c 100644 --- a/ics-attack/relationship/relationship--f497fd3e-8f05-4db2-97cc-48a8d35a8827.json +++ b/ics-attack/relationship/relationship--f497fd3e-8f05-4db2-97cc-48a8d35a8827.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dde28757-704e-48e3-8cee-4dc9904c7748", + "id": "bundle--73e72012-dedb-4638-b88f-84171744a7f4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9ba76ea3-9ebb-49d7-803a-5cf2deef6875.json b/ics-attack/relationship/relationship--f4b94abb-3b81-4c92-8bd1-0fed105ece14.json similarity index 71% rename from ics-attack/relationship/relationship--9ba76ea3-9ebb-49d7-803a-5cf2deef6875.json rename to ics-attack/relationship/relationship--f4b94abb-3b81-4c92-8bd1-0fed105ece14.json index 233d7108ca..f2f19954d5 100644 --- a/ics-attack/relationship/relationship--9ba76ea3-9ebb-49d7-803a-5cf2deef6875.json +++ b/ics-attack/relationship/relationship--f4b94abb-3b81-4c92-8bd1-0fed105ece14.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--d4a77149-6585-4d3e-864e-b2350e2a2edf", + "id": "bundle--5647070c-2a13-4311-8ebd-d6b77facccfe", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--9ba76ea3-9ebb-49d7-803a-5cf2deef6875", + "id": "relationship--f4b94abb-3b81-4c92-8bd1-0fed105ece14", "created": "2023-09-28T19:37:35.485Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:03:49.479Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f4cae3bb-a699-43a6-9dae-fd3acac9551e.json b/ics-attack/relationship/relationship--f4cae3bb-a699-43a6-9dae-fd3acac9551e.json index 3197cddb43..b55a95faf0 100644 --- a/ics-attack/relationship/relationship--f4cae3bb-a699-43a6-9dae-fd3acac9551e.json +++ b/ics-attack/relationship/relationship--f4cae3bb-a699-43a6-9dae-fd3acac9551e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--63920806-de67-4247-b746-904dcff7b81e", + "id": "bundle--b77fb923-2b7e-4508-a6e9-4ad294080217", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--f4cae3bb-a699-43a6-9dae-fd3acac9551e", "created": "2025-09-24T18:19:38.546Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--f531e763-3550-40ba-a6a1-81e208ca12c6.json b/ics-attack/relationship/relationship--f531e763-3550-40ba-a6a1-81e208ca12c6.json index 924b09fb73..9a327f3bf9 100644 --- a/ics-attack/relationship/relationship--f531e763-3550-40ba-a6a1-81e208ca12c6.json +++ b/ics-attack/relationship/relationship--f531e763-3550-40ba-a6a1-81e208ca12c6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a87a4e89-2348-4764-97fe-1ccbcfa2890c", + "id": "bundle--aae45879-edd1-4de4-a0cb-f7e40bde163a", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--f531e763-3550-40ba-a6a1-81e208ca12c6", "created": "2023-09-29T16:41:06.217Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:29.887Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--e13f8de3-3ea1-4987-9355-aad8d967a207.json b/ics-attack/relationship/relationship--f5337891-61a3-4f24-a00a-8064a7ab4447.json similarity index 78% rename from ics-attack/relationship/relationship--e13f8de3-3ea1-4987-9355-aad8d967a207.json rename to ics-attack/relationship/relationship--f5337891-61a3-4f24-a00a-8064a7ab4447.json index f164bcdf97..1c4667ce8a 100644 --- a/ics-attack/relationship/relationship--e13f8de3-3ea1-4987-9355-aad8d967a207.json +++ b/ics-attack/relationship/relationship--f5337891-61a3-4f24-a00a-8064a7ab4447.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--2f879639-f747-47c4-98e0-993506b43729", + "id": "bundle--981f4089-03a1-458b-9d79-ff3bffefe928", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--e13f8de3-3ea1-4987-9355-aad8d967a207", + "id": "relationship--f5337891-61a3-4f24-a00a-8064a7ab4447", "created": "2025-09-29T19:05:22.195Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -14,7 +14,7 @@ ], "modified": "2025-09-29T19:05:22.195Z", "relationship_type": "targets", - "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "source_ref": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91", "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, diff --git a/ics-attack/relationship/relationship--f5621ad9-c905-42e3-b59b-e0ae7b9051c7.json b/ics-attack/relationship/relationship--f5621ad9-c905-42e3-b59b-e0ae7b9051c7.json index 898edbb07c..4a105bea72 100644 --- a/ics-attack/relationship/relationship--f5621ad9-c905-42e3-b59b-e0ae7b9051c7.json +++ b/ics-attack/relationship/relationship--f5621ad9-c905-42e3-b59b-e0ae7b9051c7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--087bf384-4611-4554-8589-a32cafe6452b", + "id": "bundle--1472cb64-cf15-41cb-afd1-d0bb07ddc433", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--f5621ad9-c905-42e3-b59b-e0ae7b9051c7", "created": "2023-09-28T21:26:23.361Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:30.071Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--f584a257-c22a-434b-aa2d-6220987821ab.json b/ics-attack/relationship/relationship--f584a257-c22a-434b-aa2d-6220987821ab.json index a3bb978bbe..b549d3975f 100644 --- a/ics-attack/relationship/relationship--f584a257-c22a-434b-aa2d-6220987821ab.json +++ b/ics-attack/relationship/relationship--f584a257-c22a-434b-aa2d-6220987821ab.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bf4d6481-4e59-4bca-98d1-295cbc868d15", + "id": "bundle--cf82bae9-2c1f-46ca-8a51-73e33ed3de49", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--f584a257-c22a-434b-aa2d-6220987821ab", "created": "2021-10-13T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Jos Wetzels January 2018", diff --git a/ics-attack/relationship/relationship--f5c91d82-5f7c-4e40-a85a-4f1909ae5545.json b/ics-attack/relationship/relationship--f5c91d82-5f7c-4e40-a85a-4f1909ae5545.json index 29233a7150..4e7c6d62aa 100644 --- a/ics-attack/relationship/relationship--f5c91d82-5f7c-4e40-a85a-4f1909ae5545.json +++ b/ics-attack/relationship/relationship--f5c91d82-5f7c-4e40-a85a-4f1909ae5545.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e59bb7c8-dbfc-4f13-b245-a3ecccd83926", + "id": "bundle--6aac6852-726b-4d4d-a42a-5ccd6a63debd", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--f5c91d82-5f7c-4e40-a85a-4f1909ae5545", "created": "2023-09-29T18:44:50.280Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:30.485Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--f61944a4-fef5-4989-bc3d-68f86e65d7d4.json b/ics-attack/relationship/relationship--f61944a4-fef5-4989-bc3d-68f86e65d7d4.json index 41bb5fdad7..b84063ba5f 100644 --- a/ics-attack/relationship/relationship--f61944a4-fef5-4989-bc3d-68f86e65d7d4.json +++ b/ics-attack/relationship/relationship--f61944a4-fef5-4989-bc3d-68f86e65d7d4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--073461b6-c287-4328-9753-e7e2acfb6ecd", + "id": "bundle--69d8d0c6-0c10-4633-bc05-939c464f22c8", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--f61944a4-fef5-4989-bc3d-68f86e65d7d4", "created": "2023-09-29T17:04:55.720Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:30.913Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", diff --git a/ics-attack/relationship/relationship--f6320c84-adfe-4a26-b33c-2b29ebd1337f.json b/ics-attack/relationship/relationship--f6320c84-adfe-4a26-b33c-2b29ebd1337f.json index fe27654b1e..b3f658f107 100644 --- a/ics-attack/relationship/relationship--f6320c84-adfe-4a26-b33c-2b29ebd1337f.json +++ b/ics-attack/relationship/relationship--f6320c84-adfe-4a26-b33c-2b29ebd1337f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f3c2289c-6641-430d-9d8f-6b3b2f3e2194", + "id": "bundle--eebcd667-a50a-472a-a145-6d83113c7fa1", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--c4777f1a-1481-4e8a-a3f4-0da57418c808", "target_ref": "attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163", diff --git a/ics-attack/relationship/relationship--93e24e03-6425-4ee8-99bb-c3a662c6cdce.json b/ics-attack/relationship/relationship--f65823c1-211b-40bf-a622-407bb511cb3d.json similarity index 85% rename from ics-attack/relationship/relationship--93e24e03-6425-4ee8-99bb-c3a662c6cdce.json rename to ics-attack/relationship/relationship--f65823c1-211b-40bf-a622-407bb511cb3d.json index 2722938531..1a775bfeef 100644 --- a/ics-attack/relationship/relationship--93e24e03-6425-4ee8-99bb-c3a662c6cdce.json +++ b/ics-attack/relationship/relationship--f65823c1-211b-40bf-a622-407bb511cb3d.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--b26d697f-b87f-45f2-84cc-2007cc9a4933", + "id": "bundle--7093e02a-c8e4-43ce-b812-e4bd71561225", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--93e24e03-6425-4ee8-99bb-c3a662c6cdce", + "id": "relationship--f65823c1-211b-40bf-a622-407bb511cb3d", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -23,10 +23,10 @@ "description": "[Triton](https://attack.mitre.org/software/S1009) is able to read, write and execute code in memory on the safety controller at an arbitrary address within the devices firmware region. This allows the malware to make changes to the running firmware in memory and modify how the device operates. (Citation: DHS CISA February 2019)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f65a8ce8-90fa-4d92-a0dc-3ee544c541fe.json b/ics-attack/relationship/relationship--f65a8ce8-90fa-4d92-a0dc-3ee544c541fe.json index 53c2cbcc12..184962f081 100644 --- a/ics-attack/relationship/relationship--f65a8ce8-90fa-4d92-a0dc-3ee544c541fe.json +++ b/ics-attack/relationship/relationship--f65a8ce8-90fa-4d92-a0dc-3ee544c541fe.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--aceed97d-cbbf-4bbe-88bb-9b39dd0a7c4e", + "id": "bundle--cfd9d139-afe5-49b0-91c3-8b3554269884", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--f65a8ce8-90fa-4d92-a0dc-3ee544c541fe", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos", diff --git a/ics-attack/relationship/relationship--f65fa052-5ad0-4fc3-b579-ee33d1225659.json b/ics-attack/relationship/relationship--f65fa052-5ad0-4fc3-b579-ee33d1225659.json index b7f0ceb044..4655ef1190 100644 --- a/ics-attack/relationship/relationship--f65fa052-5ad0-4fc3-b579-ee33d1225659.json +++ b/ics-attack/relationship/relationship--f65fa052-5ad0-4fc3-b579-ee33d1225659.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b96d0a2a-c1fa-4773-98b0-746bd1c16466", + "id": "bundle--f8d68bff-befb-433e-a3a5-71aaeaae619f", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--f65fa052-5ad0-4fc3-b579-ee33d1225659", "created": "2023-09-28T19:55:58.229Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:31.516Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--f6794183-bbc5-4c36-a597-fd49d4957c2b.json b/ics-attack/relationship/relationship--f6794183-bbc5-4c36-a597-fd49d4957c2b.json new file mode 100644 index 0000000000..fa5155d70b --- /dev/null +++ b/ics-attack/relationship/relationship--f6794183-bbc5-4c36-a597-fd49d4957c2b.json @@ -0,0 +1,23 @@ +{ + "type": "bundle", + "id": "bundle--05dde548-3d66-47f2-8636-e9af2ea439da", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f6794183-bbc5-4c36-a597-fd49d4957c2b", + "created": "2026-04-20T20:58:51.348Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-20T20:58:51.348Z", + "relationship_type": "revoked-by", + "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f691dde5-bb2d-411b-a381-b33e0ab673d6.json b/ics-attack/relationship/relationship--f691dde5-bb2d-411b-a381-b33e0ab673d6.json index d4fe471fac..b71729d2e8 100644 --- a/ics-attack/relationship/relationship--f691dde5-bb2d-411b-a381-b33e0ab673d6.json +++ b/ics-attack/relationship/relationship--f691dde5-bb2d-411b-a381-b33e0ab673d6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8e703196-99f6-4560-bec5-5c72929d361e", + "id": "bundle--fc6a840b-0de5-4632-af04-3e6bb7a92ed9", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--f691dde5-bb2d-411b-a381-b33e0ab673d6", "created": "2023-09-28T20:12:09.661Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:31.952Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", diff --git a/ics-attack/relationship/relationship--f6bc7a24-c3e5-465c-ad71-52087cbff920.json b/ics-attack/relationship/relationship--f6bc7a24-c3e5-465c-ad71-52087cbff920.json index de920ddc60..5e629dac1e 100644 --- a/ics-attack/relationship/relationship--f6bc7a24-c3e5-465c-ad71-52087cbff920.json +++ b/ics-attack/relationship/relationship--f6bc7a24-c3e5-465c-ad71-52087cbff920.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c50b9a14-6580-446e-b761-23d9bc37e469", + "id": "bundle--3876c9a0-4d72-4786-98a6-27bdf51caef2", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--f6bc7a24-c3e5-465c-ad71-52087cbff920", "created": "2025-09-29T19:12:16.231Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--f6e405c4-77e2-4bf3-8313-279aea9f0025.json b/ics-attack/relationship/relationship--f6e405c4-77e2-4bf3-8313-279aea9f0025.json new file mode 100644 index 0000000000..878ac62ae8 --- /dev/null +++ b/ics-attack/relationship/relationship--f6e405c4-77e2-4bf3-8313-279aea9f0025.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--0e34c529-792d-43e3-a283-4e218c07fd1c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f6e405c4-77e2-4bf3-8313-279aea9f0025", + "created": "2026-04-22T16:41:01.640Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:41:01.640Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--bb553fda-8355-40bc-87c6-5ae25124fa95", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f6ff74c2-d088-4252-a8e0-189574863765.json b/ics-attack/relationship/relationship--f6ff74c2-d088-4252-a8e0-189574863765.json index 3b1e3deb21..710ff60a35 100644 --- a/ics-attack/relationship/relationship--f6ff74c2-d088-4252-a8e0-189574863765.json +++ b/ics-attack/relationship/relationship--f6ff74c2-d088-4252-a8e0-189574863765.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4a515336-8ba4-4919-9743-6e15d7693b96", + "id": "bundle--a01592c2-cdcf-45bb-8ef3-a1986c4d0f94", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--f6ff74c2-d088-4252-a8e0-189574863765", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc.json b/ics-attack/relationship/relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc.json index 12c614a87b..1f7d270ba9 100644 --- a/ics-attack/relationship/relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc.json +++ b/ics-attack/relationship/relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--414a6410-c21b-476c-a15a-1b41a503b79c", + "id": "bundle--74eaff15-7251-459f-9583-ed9c90d7a187", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f710e99a-dfe9-4b2b-8b1b-97ab1c9d65f3.json b/ics-attack/relationship/relationship--f710e99a-dfe9-4b2b-8b1b-97ab1c9d65f3.json new file mode 100644 index 0000000000..e6b890639a --- /dev/null +++ b/ics-attack/relationship/relationship--f710e99a-dfe9-4b2b-8b1b-97ab1c9d65f3.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--dd900fcf-a5b3-4460-b880-de3ef3f99e59", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f710e99a-dfe9-4b2b-8b1b-97ab1c9d65f3", + "created": "2026-04-22T17:50:53.396Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T16:18:54.342Z", + "description": "Review the integrity of project files to verify they have not been modified by adversary behavior. Verify a cryptographic hash for the file with a known trusted version, or look for other indicators of modification (e.g., timestamps).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--354ca909-b54d-4c41-b597-9c296b344a43", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f7215c1f-7bd7-41bd-8466-76caac225c7c.json b/ics-attack/relationship/relationship--f7215c1f-7bd7-41bd-8466-76caac225c7c.json index 00fa2e995a..0030e1aa84 100644 --- a/ics-attack/relationship/relationship--f7215c1f-7bd7-41bd-8466-76caac225c7c.json +++ b/ics-attack/relationship/relationship--f7215c1f-7bd7-41bd-8466-76caac225c7c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c08a83f4-81ae-4c48-9a18-bf402d36b07a", + "id": "bundle--7187bc7a-43a3-41aa-80e3-b22316cd4381", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--f7215c1f-7bd7-41bd-8466-76caac225c7c", "created": "2023-09-29T16:45:42.977Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:32.577Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", diff --git a/ics-attack/relationship/relationship--f72a7a30-bab4-445b-b226-d5c3cd1a5846.json b/ics-attack/relationship/relationship--f72a7a30-bab4-445b-b226-d5c3cd1a5846.json index f96728ca93..7a507e81f2 100644 --- a/ics-attack/relationship/relationship--f72a7a30-bab4-445b-b226-d5c3cd1a5846.json +++ b/ics-attack/relationship/relationship--f72a7a30-bab4-445b-b226-d5c3cd1a5846.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d52fb45d-9771-4a03-b784-1c6ba9f8466a", + "id": "bundle--81b066d0-ce0a-4c24-b066-a3e5170abb81", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--f72a7a30-bab4-445b-b226-d5c3cd1a5846", "created": "2023-09-29T18:47:39.450Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:32.808Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", diff --git a/ics-attack/relationship/relationship--f76dd26b-2aa3-4fc3-bdef-ddd0632d851b.json b/ics-attack/relationship/relationship--f76dd26b-2aa3-4fc3-bdef-ddd0632d851b.json new file mode 100644 index 0000000000..fdbb4a1c66 --- /dev/null +++ b/ics-attack/relationship/relationship--f76dd26b-2aa3-4fc3-bdef-ddd0632d851b.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--8da87234-ac00-4f05-bd25-56e4f07c3fff", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f76dd26b-2aa3-4fc3-bdef-ddd0632d851b", + "created": "2026-04-22T13:30:44.280Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:20:25.188Z", + "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f79d44ae-f971-484a-973b-e0cab972681d.json b/ics-attack/relationship/relationship--f79d44ae-f971-484a-973b-e0cab972681d.json index 62f5f83913..a50c6f5d04 100644 --- a/ics-attack/relationship/relationship--f79d44ae-f971-484a-973b-e0cab972681d.json +++ b/ics-attack/relationship/relationship--f79d44ae-f971-484a-973b-e0cab972681d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--65d51689-f20c-484c-988e-4f4906d49515", + "id": "bundle--6580d127-f66c-4cc2-ac8a-d0ab015d3a2a", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--f79d44ae-f971-484a-973b-e0cab972681d", "created": "2025-09-29T19:52:32.636Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--088580e9-ccea-426e-9411-c1de60de650d.json b/ics-attack/relationship/relationship--f7a466c2-acdf-49b1-9906-41388f7a5238.json similarity index 73% rename from ics-attack/relationship/relationship--088580e9-ccea-426e-9411-c1de60de650d.json rename to ics-attack/relationship/relationship--f7a466c2-acdf-49b1-9906-41388f7a5238.json index 7598a0f806..edb8d260ff 100644 --- a/ics-attack/relationship/relationship--088580e9-ccea-426e-9411-c1de60de650d.json +++ b/ics-attack/relationship/relationship--f7a466c2-acdf-49b1-9906-41388f7a5238.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--8bc0a9e7-0c80-444f-8c8c-96623ebea713", + "id": "bundle--fe0472f2-275c-424b-92ec-83a992a91730", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--088580e9-ccea-426e-9411-c1de60de650d", + "id": "relationship--f7a466c2-acdf-49b1-9906-41388f7a5238", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "Devices should authenticate all messages between master and outstation assets.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "target_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f7c5bd1b-c596-41b2-b415-2bf5179667df.json b/ics-attack/relationship/relationship--f7c5bd1b-c596-41b2-b415-2bf5179667df.json index 193062610d..0c8dda1f82 100644 --- a/ics-attack/relationship/relationship--f7c5bd1b-c596-41b2-b415-2bf5179667df.json +++ b/ics-attack/relationship/relationship--f7c5bd1b-c596-41b2-b415-2bf5179667df.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6b329c68-e5b7-4ec0-86bb-36e9d0ad842d", + "id": "bundle--210fdf76-c6b5-4703-9906-6b046a93f250", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--f7c5bd1b-c596-41b2-b415-2bf5179667df", "created": "2023-09-27T14:58:21.360Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Booz Allen Hamilton", diff --git a/ics-attack/relationship/relationship--f7c641d2-3528-4b4a-9612-85827eb0fff8.json b/ics-attack/relationship/relationship--f7c641d2-3528-4b4a-9612-85827eb0fff8.json index 374158e177..5760e5aec7 100644 --- a/ics-attack/relationship/relationship--f7c641d2-3528-4b4a-9612-85827eb0fff8.json +++ b/ics-attack/relationship/relationship--f7c641d2-3528-4b4a-9612-85827eb0fff8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cf4e7ad8-0aa7-4be0-bec7-bfc87aac9e15", + "id": "bundle--7b69be3d-e72e-484b-a910-8a852c8d427d", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--f7c641d2-3528-4b4a-9612-85827eb0fff8", "created": "2024-11-20T23:29:22.542Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Dragos FROSTYGOOP 2024", diff --git a/ics-attack/relationship/relationship--f7d672f6-993b-4036-961d-f6e22e94446c.json b/ics-attack/relationship/relationship--f7d672f6-993b-4036-961d-f6e22e94446c.json index e2e7150a70..9486550cfc 100644 --- a/ics-attack/relationship/relationship--f7d672f6-993b-4036-961d-f6e22e94446c.json +++ b/ics-attack/relationship/relationship--f7d672f6-993b-4036-961d-f6e22e94446c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4f21433e-c401-40c7-8560-741320965aa2", + "id": "bundle--c12cc481-1bb2-4de4-9e93-4f8c9aa13548", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--f7d672f6-993b-4036-961d-f6e22e94446c", "created": "2024-04-09T20:48:30.734Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:33.625Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", diff --git a/ics-attack/relationship/relationship--f8318ac4-8ed0-478d-be87-faa2c9d8a740.json b/ics-attack/relationship/relationship--f8318ac4-8ed0-478d-be87-faa2c9d8a740.json index ab4714dfbc..1314fd3b51 100644 --- a/ics-attack/relationship/relationship--f8318ac4-8ed0-478d-be87-faa2c9d8a740.json +++ b/ics-attack/relationship/relationship--f8318ac4-8ed0-478d-be87-faa2c9d8a740.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ecf79c88-9aad-47c0-9819-4316df630152", + "id": "bundle--e3d4fac1-30bf-4744-bbca-305193862140", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--f8318ac4-8ed0-478d-be87-faa2c9d8a740", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Eduard Kovacs May 2018", diff --git a/ics-attack/relationship/relationship--f8456c9b-a4a5-4f13-94e3-54c787b21089.json b/ics-attack/relationship/relationship--f8456c9b-a4a5-4f13-94e3-54c787b21089.json index b2e1f164a2..e64b60db4e 100644 --- a/ics-attack/relationship/relationship--f8456c9b-a4a5-4f13-94e3-54c787b21089.json +++ b/ics-attack/relationship/relationship--f8456c9b-a4a5-4f13-94e3-54c787b21089.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0c0f5918-f0aa-4916-9e77-a48f6d52ef55", + "id": "bundle--febedd9a-41a3-4e8f-9e4f-d6bf2c4b531f", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--f8456c9b-a4a5-4f13-94e3-54c787b21089", "created": "2023-09-28T20:16:40.519Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:34.045Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--f862418a-e7b4-4783-8949-7145f3dee665.json b/ics-attack/relationship/relationship--f862418a-e7b4-4783-8949-7145f3dee665.json index c9ffaae7f0..b721b940ea 100644 --- a/ics-attack/relationship/relationship--f862418a-e7b4-4783-8949-7145f3dee665.json +++ b/ics-attack/relationship/relationship--f862418a-e7b4-4783-8949-7145f3dee665.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9c7c7c23-f34f-493f-b792-77f2eead360d", + "id": "bundle--a642c343-761c-426b-882e-0a679f8a9bd5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--147c2158-b2af-4d88-9d59-594c67a9200e.json b/ics-attack/relationship/relationship--f86bc28e-6293-411e-8bbe-2e2717286529.json similarity index 77% rename from ics-attack/relationship/relationship--147c2158-b2af-4d88-9d59-594c67a9200e.json rename to ics-attack/relationship/relationship--f86bc28e-6293-411e-8bbe-2e2717286529.json index e0d1b4f95b..12a70d8995 100644 --- a/ics-attack/relationship/relationship--147c2158-b2af-4d88-9d59-594c67a9200e.json +++ b/ics-attack/relationship/relationship--f86bc28e-6293-411e-8bbe-2e2717286529.json @@ -1,13 +1,14 @@ { "type": "bundle", - "id": "bundle--3de51157-ff9c-4102-97d5-49f3184b7b66", + "id": "bundle--fd2600b0-42b6-4b3c-af32-d85ce37c13bc", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--147c2158-b2af-4d88-9d59-594c67a9200e", + "id": "relationship--f86bc28e-6293-411e-8bbe-2e2717286529", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -15,10 +16,10 @@ "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", "relationship_type": "mitigates", "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "target_ref": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f86bde61-c4ec-4d40-9768-32e9b52c1702.json b/ics-attack/relationship/relationship--f86bde61-c4ec-4d40-9768-32e9b52c1702.json index d9dca5695b..fd5b8dda84 100644 --- a/ics-attack/relationship/relationship--f86bde61-c4ec-4d40-9768-32e9b52c1702.json +++ b/ics-attack/relationship/relationship--f86bde61-c4ec-4d40-9768-32e9b52c1702.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--73a02f0f-b901-41fe-883d-8540cfeb9758", + "id": "bundle--dbb7f9ca-c20b-46f2-ad57-9a98ebb02753", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--f86bde61-c4ec-4d40-9768-32e9b52c1702", "created": "2023-03-22T15:52:30.607Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "PLCTop20 Mar 2023", diff --git a/ics-attack/relationship/relationship--f9164f95-51d4-4b6c-92d8-0cafe4b97e6c.json b/ics-attack/relationship/relationship--f9164f95-51d4-4b6c-92d8-0cafe4b97e6c.json index 373b4f7fd2..6d6f575a23 100644 --- a/ics-attack/relationship/relationship--f9164f95-51d4-4b6c-92d8-0cafe4b97e6c.json +++ b/ics-attack/relationship/relationship--f9164f95-51d4-4b6c-92d8-0cafe4b97e6c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--67c3329a-6e93-4611-bb36-7c1536318b11", + "id": "bundle--143cd5e9-e3a6-464b-945c-0544f63b8f40", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--f9164f95-51d4-4b6c-92d8-0cafe4b97e6c", "created": "2025-09-24T18:13:30.126Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--f92764db-a880-4726-9d28-a035170f790c.json b/ics-attack/relationship/relationship--f92764db-a880-4726-9d28-a035170f790c.json index ab7ee21fe7..8c5d97f586 100644 --- a/ics-attack/relationship/relationship--f92764db-a880-4726-9d28-a035170f790c.json +++ b/ics-attack/relationship/relationship--f92764db-a880-4726-9d28-a035170f790c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2a491165-d834-4be9-8c31-1707df190203", + "id": "bundle--d45e1c08-c084-4c43-b333-f1a2a1b6356c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--f92764db-a880-4726-9d28-a035170f790c", "created": "2023-09-28T21:22:35.236Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:34.905Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--f9907fb1-976b-4f51-ac13-b45f2ff9452b.json b/ics-attack/relationship/relationship--f9907fb1-976b-4f51-ac13-b45f2ff9452b.json index 98e1c35f62..f588c58222 100644 --- a/ics-attack/relationship/relationship--f9907fb1-976b-4f51-ac13-b45f2ff9452b.json +++ b/ics-attack/relationship/relationship--f9907fb1-976b-4f51-ac13-b45f2ff9452b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1decc6d0-57de-49d3-b8cd-46de273b59d6", + "id": "bundle--3ea1c4c6-4385-4524-8b4c-4225bcaacb1d", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--f9907fb1-976b-4f51-ac13-b45f2ff9452b", "created": "2023-09-28T19:48:37.072Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:35.518Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--f9aa3364-a1eb-4776-ae03-c39b250545a0.json b/ics-attack/relationship/relationship--f9aa3364-a1eb-4776-ae03-c39b250545a0.json index 4298cd0756..7d3d22c75f 100644 --- a/ics-attack/relationship/relationship--f9aa3364-a1eb-4776-ae03-c39b250545a0.json +++ b/ics-attack/relationship/relationship--f9aa3364-a1eb-4776-ae03-c39b250545a0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2f5b227d-e4fc-48e0-9793-40d9458be881", + "id": "bundle--914353e0-3611-4289-83d4-67df19fc235a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0.json b/ics-attack/relationship/relationship--f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0.json index f9734d9758..09c8c669dd 100644 --- a/ics-attack/relationship/relationship--f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0.json +++ b/ics-attack/relationship/relationship--f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b4b52f53-ba3c-44b8-a4b0-7084385be50c", + "id": "bundle--2915bb30-9409-48ad-a88c-b2f7adf1e1e2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f9e33311-f162-4ebd-b944-8704f6dc0fd4.json b/ics-attack/relationship/relationship--f9e33311-f162-4ebd-b944-8704f6dc0fd4.json index 1aa92d0d2c..0b0cfd7fa3 100644 --- a/ics-attack/relationship/relationship--f9e33311-f162-4ebd-b944-8704f6dc0fd4.json +++ b/ics-attack/relationship/relationship--f9e33311-f162-4ebd-b944-8704f6dc0fd4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2ba1ebcb-ae8e-4a91-a4e8-d4d56a87575e", + "id": "bundle--f8076f66-e854-4d4b-ba62-1ac2fc151b3b", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--ab3f0926-58e2-485e-987c-66b541d9de97", "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", diff --git a/ics-attack/relationship/relationship--22ba5443-ea49-4076-a666-722eb5352f70.json b/ics-attack/relationship/relationship--f9ee9476-5487-4535-93fd-6b0cbbda0471.json similarity index 71% rename from ics-attack/relationship/relationship--22ba5443-ea49-4076-a666-722eb5352f70.json rename to ics-attack/relationship/relationship--f9ee9476-5487-4535-93fd-6b0cbbda0471.json index 6d93c14ac3..e59b7eb4aa 100644 --- a/ics-attack/relationship/relationship--22ba5443-ea49-4076-a666-722eb5352f70.json +++ b/ics-attack/relationship/relationship--f9ee9476-5487-4535-93fd-6b0cbbda0471.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--79f8bf02-6822-4c96-9c6e-d2edead4c553", + "id": "bundle--ee322019-6e05-4a62-aff4-b10bf4774b96", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--22ba5443-ea49-4076-a666-722eb5352f70", + "id": "relationship--f9ee9476-5487-4535-93fd-6b0cbbda0471", "created": "2023-09-28T20:02:45.697Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:01:32.818Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "source_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--fa1bde35-63d9-4c5c-969b-2c17c29089fa.json b/ics-attack/relationship/relationship--fa1bde35-63d9-4c5c-969b-2c17c29089fa.json index eb9e81c926..84e74a5877 100644 --- a/ics-attack/relationship/relationship--fa1bde35-63d9-4c5c-969b-2c17c29089fa.json +++ b/ics-attack/relationship/relationship--fa1bde35-63d9-4c5c-969b-2c17c29089fa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--308f8b27-7b16-48f2-b12b-9b9910a80cf3", + "id": "bundle--b0bb3d4a-2c6c-475a-b677-19d7db3354ce", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--fa1bde35-63d9-4c5c-969b-2c17c29089fa", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--ed8b97e2-5966-4844-a636-524541a46e43.json b/ics-attack/relationship/relationship--fa391554-a3c0-4b89-9083-a53d299c5fad.json similarity index 71% rename from ics-attack/relationship/relationship--ed8b97e2-5966-4844-a636-524541a46e43.json rename to ics-attack/relationship/relationship--fa391554-a3c0-4b89-9083-a53d299c5fad.json index 0d409f6005..4c11bf20d1 100644 --- a/ics-attack/relationship/relationship--ed8b97e2-5966-4844-a636-524541a46e43.json +++ b/ics-attack/relationship/relationship--fa391554-a3c0-4b89-9083-a53d299c5fad.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--3b8cccf4-2015-45f9-a851-89ec661b6677", + "id": "bundle--87d495b3-e58b-4490-9ca8-21a70d0ae3dc", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--ed8b97e2-5966-4844-a636-524541a46e43", + "id": "relationship--fa391554-a3c0-4b89-9083-a53d299c5fad", "created": "2023-09-29T16:39:18.448Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13,13 +13,12 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:20.202Z", - "description": "", "relationship_type": "targets", - "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "source_ref": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5", "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--faa5ba6b-bbc4-47ab-a737-6dc1d8b31efd.json b/ics-attack/relationship/relationship--faa5ba6b-bbc4-47ab-a737-6dc1d8b31efd.json index 1fb02ba61b..d2957aea16 100644 --- a/ics-attack/relationship/relationship--faa5ba6b-bbc4-47ab-a737-6dc1d8b31efd.json +++ b/ics-attack/relationship/relationship--faa5ba6b-bbc4-47ab-a737-6dc1d8b31efd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d654aba3-e81f-4a28-869f-bc6ef832aa91", + "id": "bundle--896f7afd-0872-4052-901a-d077d00cf127", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--7f41ed29-fdc6-4c28-ba10-9de1aa129f7e", "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", diff --git a/ics-attack/relationship/relationship--fac4bc88-af9b-4eec-b041-e4138b49c3c0.json b/ics-attack/relationship/relationship--fac4bc88-af9b-4eec-b041-e4138b49c3c0.json index f2b978416f..ced9d81e38 100644 --- a/ics-attack/relationship/relationship--fac4bc88-af9b-4eec-b041-e4138b49c3c0.json +++ b/ics-attack/relationship/relationship--fac4bc88-af9b-4eec-b041-e4138b49c3c0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--671c38ca-2de3-4c2d-b2f3-dcbb1c1d46ce", + "id": "bundle--a307c588-27aa-4b45-b902-03d12363af57", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--fac4bc88-af9b-4eec-b041-e4138b49c3c0", "created": "2023-09-29T16:28:04.180Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:36.593Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", diff --git a/ics-attack/relationship/relationship--fad25140-73de-40d5-a010-3464188db973.json b/ics-attack/relationship/relationship--fad25140-73de-40d5-a010-3464188db973.json index 18219a8684..48ba3940b0 100644 --- a/ics-attack/relationship/relationship--fad25140-73de-40d5-a010-3464188db973.json +++ b/ics-attack/relationship/relationship--fad25140-73de-40d5-a010-3464188db973.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3018f774-29c1-495f-a8bc-ca51566fd6b3", + "id": "bundle--ded6aea7-ba14-4c69-8d15-e702ab9d4bc0", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--fad25140-73de-40d5-a010-3464188db973", "created": "2023-09-25T20:51:07.162Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--fadbdca3-3c98-497c-a156-e53b89664359.json b/ics-attack/relationship/relationship--fadbdca3-3c98-497c-a156-e53b89664359.json index 93f304343b..6efd9c977f 100644 --- a/ics-attack/relationship/relationship--fadbdca3-3c98-497c-a156-e53b89664359.json +++ b/ics-attack/relationship/relationship--fadbdca3-3c98-497c-a156-e53b89664359.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0c7395e0-b379-424d-9774-a4c911c12d34", + "id": "bundle--447c7133-aec9-461b-8fca-2128bd849629", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--fadbdca3-3c98-497c-a156-e53b89664359", "created": "2023-09-28T20:16:55.038Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:37.012Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", diff --git a/ics-attack/relationship/relationship--fadc8348-837b-4d7d-91a2-679117e5fd7b.json b/ics-attack/relationship/relationship--fadc8348-837b-4d7d-91a2-679117e5fd7b.json new file mode 100644 index 0000000000..f2f0210620 --- /dev/null +++ b/ics-attack/relationship/relationship--fadc8348-837b-4d7d-91a2-679117e5fd7b.json @@ -0,0 +1,32 @@ +{ + "type": "bundle", + "id": "bundle--280d547a-196c-47fc-9ef6-7de13ea3be3f", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fadc8348-837b-4d7d-91a2-679117e5fd7b", + "created": "2026-04-22T20:11:46.591Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CERT Polska", + "description": "CERT Polska. (2026, January 30). Energy Sector Incident Report \u2013 29 December. Retrieved April 22, 2026.", + "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:22:08.533Z", + "description": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries remotely executed commands on systems using [PsExec](https://attack.mitre.org/software/S0029) to gather information about running processes, network connections, routing tables, ARP cache, and contents of user directories.(Citation: CERT Polska)", + "relationship_type": "uses", + "source_ref": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--faf163b6-4e35-43d6-9c0c-83d91d215854.json b/ics-attack/relationship/relationship--faf163b6-4e35-43d6-9c0c-83d91d215854.json index b0e9f9a7a2..ab83762fac 100644 --- a/ics-attack/relationship/relationship--faf163b6-4e35-43d6-9c0c-83d91d215854.json +++ b/ics-attack/relationship/relationship--faf163b6-4e35-43d6-9c0c-83d91d215854.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5ca183ce-42ea-44cc-8471-a8a3d2eea708", + "id": "bundle--d23aa42b-c578-457c-831e-de6fe299fa2d", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--faf163b6-4e35-43d6-9c0c-83d91d215854", "created": "2024-09-11T22:57:39.900Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Claroty Fuxnet 2024", diff --git a/ics-attack/relationship/relationship--fb4ee993-feb0-414f-b724-6ba392b1e560.json b/ics-attack/relationship/relationship--fb4ee993-feb0-414f-b724-6ba392b1e560.json index 71b1a4f4e6..7f080acf08 100644 --- a/ics-attack/relationship/relationship--fb4ee993-feb0-414f-b724-6ba392b1e560.json +++ b/ics-attack/relationship/relationship--fb4ee993-feb0-414f-b724-6ba392b1e560.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--56cb06ef-57f7-45d5-bb89-02f306f628a5", + "id": "bundle--2d2eba9b-2e7d-471f-9a63-fe9f0c0c01be", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--fb4ee993-feb0-414f-b724-6ba392b1e560", "created": "2025-09-29T19:10:44.136Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--fb8530c7-b6d7-44be-851e-1eb773f47e72.json b/ics-attack/relationship/relationship--fb8530c7-b6d7-44be-851e-1eb773f47e72.json new file mode 100644 index 0000000000..7a014ea87d --- /dev/null +++ b/ics-attack/relationship/relationship--fb8530c7-b6d7-44be-851e-1eb773f47e72.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--d2d5a6af-0870-4ce7-9f6d-0f502f1c9fed", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fb8530c7-b6d7-44be-851e-1eb773f47e72", + "created": "2026-04-22T16:41:15.170Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T16:41:15.170Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--fc02e858-0e4d-462c-8f66-f7289677c559.json b/ics-attack/relationship/relationship--fc02e858-0e4d-462c-8f66-f7289677c559.json new file mode 100644 index 0000000000..2476939053 --- /dev/null +++ b/ics-attack/relationship/relationship--fc02e858-0e4d-462c-8f66-f7289677c559.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--3d34779a-a091-4a91-b2c9-a1cdf35e1ae1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fc02e858-0e4d-462c-8f66-f7289677c559", + "created": "2026-04-22T17:51:53.280Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T16:19:51.453Z", + "description": "Ensure permissions restrict project file access to only engineer and technician user groups and accounts.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "target_ref": "attack-pattern--354ca909-b54d-4c41-b597-9c296b344a43", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--fc189fa0-1235-46ac-a802-f226dc0ec4e1.json b/ics-attack/relationship/relationship--fc189fa0-1235-46ac-a802-f226dc0ec4e1.json index 3d2cf20293..48f860a535 100644 --- a/ics-attack/relationship/relationship--fc189fa0-1235-46ac-a802-f226dc0ec4e1.json +++ b/ics-attack/relationship/relationship--fc189fa0-1235-46ac-a802-f226dc0ec4e1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3635119c-bb41-4115-bddb-86ee7ad440e7", + "id": "bundle--d0c401e1-cede-44b7-bd3b-8916bd48aade", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--fc189fa0-1235-46ac-a802-f226dc0ec4e1", "created": "2023-09-29T17:38:28.664Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:37.622Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", diff --git a/ics-attack/relationship/relationship--fc3a187f-7437-413f-bea4-14936ce86512.json b/ics-attack/relationship/relationship--fc3a187f-7437-413f-bea4-14936ce86512.json index 30cf69b3d3..0cc079fc61 100644 --- a/ics-attack/relationship/relationship--fc3a187f-7437-413f-bea4-14936ce86512.json +++ b/ics-attack/relationship/relationship--fc3a187f-7437-413f-bea4-14936ce86512.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e5ebb3ce-8bbd-44dd-92a2-dd7ede93435e", + "id": "bundle--73b9e948-a189-4697-8d9b-802afdbe3537", "spec_version": "2.0", "objects": [ { @@ -12,7 +12,6 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-10-21T15:10:28.402Z", - "description": "", "relationship_type": "detects", "source_ref": "x-mitre-detection-strategy--87493fa2-bb78-4e28-b882-d79eecd10740", "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", diff --git a/ics-attack/relationship/relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba.json b/ics-attack/relationship/relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba.json index e9d09fe329..e889309e71 100644 --- a/ics-attack/relationship/relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba.json +++ b/ics-attack/relationship/relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0f86152d-20aa-4800-8a3b-ba08712fefab", + "id": "bundle--20fc01c4-07b5-40a0-82eb-de22b38a6db2", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Eduard Kovacs May 2018", diff --git a/ics-attack/relationship/relationship--fc508fcc-6f19-44da-bbc0-de6aaa627d04.json b/ics-attack/relationship/relationship--fc508fcc-6f19-44da-bbc0-de6aaa627d04.json index 791186ad68..9a82c5f4ad 100644 --- a/ics-attack/relationship/relationship--fc508fcc-6f19-44da-bbc0-de6aaa627d04.json +++ b/ics-attack/relationship/relationship--fc508fcc-6f19-44da-bbc0-de6aaa627d04.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e09a41d0-ec05-4ff4-9dc4-2b7a6be15f6e", + "id": "bundle--8b40a318-76e8-4819-a3f9-40ac6aec5701", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--fc508fcc-6f19-44da-bbc0-de6aaa627d04", "created": "2025-09-29T19:16:18.456Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--fc77a4bc-1383-492a-a04b-9062345ced53.json b/ics-attack/relationship/relationship--fc77a4bc-1383-492a-a04b-9062345ced53.json new file mode 100644 index 0000000000..2add526615 --- /dev/null +++ b/ics-attack/relationship/relationship--fc77a4bc-1383-492a-a04b-9062345ced53.json @@ -0,0 +1,25 @@ +{ + "type": "bundle", + "id": "bundle--14c495ce-8cce-4b43-8829-c37fd35b3748", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fc77a4bc-1383-492a-a04b-9062345ced53", + "created": "2026-04-22T16:06:19.136Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T15:49:59.483Z", + "description": "Filter for protocols and payloads associated with firmware activation or updating activity.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--fc8e2629-c7ea-4b3c-b614-edde1a700f27.json b/ics-attack/relationship/relationship--fc8e2629-c7ea-4b3c-b614-edde1a700f27.json new file mode 100644 index 0000000000..4f6df8f4ce --- /dev/null +++ b/ics-attack/relationship/relationship--fc8e2629-c7ea-4b3c-b614-edde1a700f27.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--dcd42b15-dd82-44a0-90a8-987ae3febac3", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fc8e2629-c7ea-4b3c-b614-edde1a700f27", + "created": "2026-04-22T20:16:16.558Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:16:16.558Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--fcb02e3f-3a41-46fc-8014-f1e95b14e28a.json b/ics-attack/relationship/relationship--fcb02e3f-3a41-46fc-8014-f1e95b14e28a.json new file mode 100644 index 0000000000..eaf399c677 --- /dev/null +++ b/ics-attack/relationship/relationship--fcb02e3f-3a41-46fc-8014-f1e95b14e28a.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--d80be1ed-30d3-4928-bab5-40d7f07e67c6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fcb02e3f-3a41-46fc-8014-f1e95b14e28a", + "created": "2026-04-22T21:38:15.078Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T21:38:15.079Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041.json b/ics-attack/relationship/relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041.json index a42720044f..8c9f174cf9 100644 --- a/ics-attack/relationship/relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041.json +++ b/ics-attack/relationship/relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ede2942b-5efd-422b-9a4f-07fe65818f0a", + "id": "bundle--e1974799-1280-4372-8fdc-978d40fde102", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--fcba6a58-72b0-4d54-a887-740624e22f6f.json b/ics-attack/relationship/relationship--fcba6a58-72b0-4d54-a887-740624e22f6f.json index ff9b1c613c..cc1ad1695b 100644 --- a/ics-attack/relationship/relationship--fcba6a58-72b0-4d54-a887-740624e22f6f.json +++ b/ics-attack/relationship/relationship--fcba6a58-72b0-4d54-a887-740624e22f6f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0fcca553-7ff0-4535-a44e-11e0426360e7", + "id": "bundle--721af3c6-96bd-424c-badc-44f6e54a6033", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--fcba6a58-72b0-4d54-a887-740624e22f6f", "created": "2024-03-26T15:42:36.840Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:38.920Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d", "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", diff --git a/ics-attack/relationship/relationship--1f785984-791e-4612-be32-9ee6903a9c0b.json b/ics-attack/relationship/relationship--fcc33052-42c2-485c-903c-cd86e5a87f34.json similarity index 84% rename from ics-attack/relationship/relationship--1f785984-791e-4612-be32-9ee6903a9c0b.json rename to ics-attack/relationship/relationship--fcc33052-42c2-485c-903c-cd86e5a87f34.json index f6a7084cb4..2519e73397 100644 --- a/ics-attack/relationship/relationship--1f785984-791e-4612-be32-9ee6903a9c0b.json +++ b/ics-attack/relationship/relationship--fcc33052-42c2-485c-903c-cd86e5a87f34.json @@ -1,11 +1,11 @@ { "type": "bundle", - "id": "bundle--4c0d7800-61cb-45dc-a244-5481358d586a", + "id": "bundle--a382e590-3132-4030-b4c4-403c66ac9c19", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--1f785984-791e-4612-be32-9ee6903a9c0b", + "id": "relationship--fcc33052-42c2-485c-903c-cd86e5a87f34", "created": "2022-09-28T20:26:09.928Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -23,10 +23,10 @@ "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can login to Omron PLCs using hardcoded credentials, which is documented in CVE-2022-34151.(Citation: Wylie-22) ", "relationship_type": "uses", "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "target_ref": "attack-pattern--6b335943-c3af-430e-a135-ab09623bdc20", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0.json b/ics-attack/relationship/relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0.json index f7bc7bf38f..d248a5c468 100644 --- a/ics-attack/relationship/relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0.json +++ b/ics-attack/relationship/relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--92ae9db2-101c-4b0f-b267-faf942fee1ce", + "id": "bundle--03fba96a-47f2-4367-b985-d78f7414ed95", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--fcd7c2bf-638e-409f-bc36-fff28c3cc68f.json b/ics-attack/relationship/relationship--fcd7c2bf-638e-409f-bc36-fff28c3cc68f.json index c9cc55ff71..f744575493 100644 --- a/ics-attack/relationship/relationship--fcd7c2bf-638e-409f-bc36-fff28c3cc68f.json +++ b/ics-attack/relationship/relationship--fcd7c2bf-638e-409f-bc36-fff28c3cc68f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--05fe0851-1c05-49da-a55b-92b9210ea29b", + "id": "bundle--10995f8a-ce5e-4d45-9cdd-147096373a16", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--fcd7c2bf-638e-409f-bc36-fff28c3cc68f", "created": "2025-09-29T19:03:28.185Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--fcdf1912-dfc8-4cc3-92de-c6689353dd8e.json b/ics-attack/relationship/relationship--fcdf1912-dfc8-4cc3-92de-c6689353dd8e.json new file mode 100644 index 0000000000..8674e80dc5 --- /dev/null +++ b/ics-attack/relationship/relationship--fcdf1912-dfc8-4cc3-92de-c6689353dd8e.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--bdeb019b-42df-4f7a-8114-daefa81d0a91", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fcdf1912-dfc8-4cc3-92de-c6689353dd8e", + "created": "2026-04-23T00:29:11.945Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:29:11.945Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135", + "target_ref": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--fd1bde9f-b2a5-48e2-ac92-cb6097040a71.json b/ics-attack/relationship/relationship--fd1bde9f-b2a5-48e2-ac92-cb6097040a71.json index 7624eed348..307fd6a349 100644 --- a/ics-attack/relationship/relationship--fd1bde9f-b2a5-48e2-ac92-cb6097040a71.json +++ b/ics-attack/relationship/relationship--fd1bde9f-b2a5-48e2-ac92-cb6097040a71.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1f4ef954-0c1e-4e1e-af1b-90c0ec5d0cbd", + "id": "bundle--d68cab7b-90b8-48e5-997c-488c9c19689e", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--fd1bde9f-b2a5-48e2-ac92-cb6097040a71", "created": "2025-09-24T18:04:32.387Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--fd1f3d4e-825f-4b25-aaf7-c82823ccf341.json b/ics-attack/relationship/relationship--fd1f3d4e-825f-4b25-aaf7-c82823ccf341.json index 9b0f13a92a..7d2cf4c974 100644 --- a/ics-attack/relationship/relationship--fd1f3d4e-825f-4b25-aaf7-c82823ccf341.json +++ b/ics-attack/relationship/relationship--fd1f3d4e-825f-4b25-aaf7-c82823ccf341.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--83b9d7df-55e9-4172-ae0a-6782c935242d", + "id": "bundle--38cffa8f-bb83-429f-afea-db5973ce80e0", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--fd1f3d4e-825f-4b25-aaf7-c82823ccf341", "created": "2025-09-24T18:22:03.083Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--fd309395-8fcc-402c-9227-90ac897fd602.json b/ics-attack/relationship/relationship--fd309395-8fcc-402c-9227-90ac897fd602.json index d59ae9ab2c..1b24dba43f 100644 --- a/ics-attack/relationship/relationship--fd309395-8fcc-402c-9227-90ac897fd602.json +++ b/ics-attack/relationship/relationship--fd309395-8fcc-402c-9227-90ac897fd602.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d037ac98-e9a3-4a30-a630-b89f50c9c731", + "id": "bundle--b882e960-455e-49dd-a195-372438f44590", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--fd309395-8fcc-402c-9227-90ac897fd602", "created": "2024-03-26T15:41:39.905Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:39.554Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--77d9c726-b53e-481d-8bcc-1068aebfbb9d", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--fd3bc308-82cd-49c9-a41e-9b19ce04b3cd.json b/ics-attack/relationship/relationship--fd3bc308-82cd-49c9-a41e-9b19ce04b3cd.json index 028351fd92..faf2b4f4ef 100644 --- a/ics-attack/relationship/relationship--fd3bc308-82cd-49c9-a41e-9b19ce04b3cd.json +++ b/ics-attack/relationship/relationship--fd3bc308-82cd-49c9-a41e-9b19ce04b3cd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5476873a-57c7-4eda-93d6-6cbe4053b789", + "id": "bundle--a685ae7d-cb5a-4f30-9c9e-3e1f86f23b68", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--fd3bc308-82cd-49c9-a41e-9b19ce04b3cd", "created": "2023-10-02T20:23:41.227Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:39.770Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", diff --git a/ics-attack/relationship/relationship--531e0589-0dad-444d-aca4-6198ba5d9fcd.json b/ics-attack/relationship/relationship--fd52f382-115f-483a-82c1-bb31fe5d5eb6.json similarity index 79% rename from ics-attack/relationship/relationship--531e0589-0dad-444d-aca4-6198ba5d9fcd.json rename to ics-attack/relationship/relationship--fd52f382-115f-483a-82c1-bb31fe5d5eb6.json index 9bc13de9cf..d9550bcb16 100644 --- a/ics-attack/relationship/relationship--531e0589-0dad-444d-aca4-6198ba5d9fcd.json +++ b/ics-attack/relationship/relationship--fd52f382-115f-483a-82c1-bb31fe5d5eb6.json @@ -1,24 +1,15 @@ { "type": "bundle", - "id": "bundle--24570af2-dd0b-4d3a-bff8-84e6cfe62155", + "id": "bundle--19a3d22c-b306-4f29-a473-3cf27b3e39b2", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--531e0589-0dad-444d-aca4-6198ba5d9fcd", + "id": "relationship--fd52f382-115f-483a-82c1-bb31fe5d5eb6", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ - { - "source_name": "Karen Scarfone; Paul Hoffman September 2009", - "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", - "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" - }, - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - }, { "source_name": "Department of Homeland Security September 2016", "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", @@ -28,19 +19,29 @@ "source_name": "Dwight Anderson 2014", "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" + }, + { + "source_name": "Karen Scarfone; Paul Hoffman September 2009", + "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", + "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" + }, + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-28T15:25:28.236Z", - "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", + "modified": "2026-04-23T19:00:47.255Z", + "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment.(Citation: Karen Scarfone; Paul Hoffman September 2009)(Citation: Keith Stouffer May 2015)(Citation: Department of Homeland Security September 2016)(Citation: Dwight Anderson 2014) \n", "relationship_type": "mitigates", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "target_ref": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f.json b/ics-attack/relationship/relationship--fd8cd074-9e66-45f3-b41f-71f7aaf00ee6.json similarity index 58% rename from ics-attack/relationship/relationship--bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f.json rename to ics-attack/relationship/relationship--fd8cd074-9e66-45f3-b41f-71f7aaf00ee6.json index 44a424bf7b..653e545247 100644 --- a/ics-attack/relationship/relationship--bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f.json +++ b/ics-attack/relationship/relationship--fd8cd074-9e66-45f3-b41f-71f7aaf00ee6.json @@ -1,25 +1,25 @@ { "type": "bundle", - "id": "bundle--cc4a5c1a-9856-42ce-9db4-57f45660d05c", + "id": "bundle--bfa73b58-60ed-4917-9a7b-25350859f0d7", "spec_version": "2.0", "objects": [ { "type": "relationship", - "id": "relationship--bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f", + "id": "relationship--fd8cd074-9e66-45f3-b41f-71f7aaf00ee6", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-16T23:04:27.786Z", - "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", + "modified": "2025-12-24T17:46:05.669Z", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--fdc20415-c9a1-405e-80af-3d297894e8fa.json b/ics-attack/relationship/relationship--fdc20415-c9a1-405e-80af-3d297894e8fa.json index 49b7250be3..1276a81608 100644 --- a/ics-attack/relationship/relationship--fdc20415-c9a1-405e-80af-3d297894e8fa.json +++ b/ics-attack/relationship/relationship--fdc20415-c9a1-405e-80af-3d297894e8fa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9fb6ae0d-c70e-40e9-88aa-59b16599fa0f", + "id": "bundle--08ecd60a-2e4a-4a98-87d5-cd38768c0acb", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--fdc20415-c9a1-405e-80af-3d297894e8fa", "created": "2023-09-28T19:58:30.849Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:40.401Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--fe19d9d1-a560-425d-a41a-a643199aa79b.json b/ics-attack/relationship/relationship--fe19d9d1-a560-425d-a41a-a643199aa79b.json new file mode 100644 index 0000000000..86ccc04b15 --- /dev/null +++ b/ics-attack/relationship/relationship--fe19d9d1-a560-425d-a41a-a643199aa79b.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--96690d2c-1c4c-44c1-bcae-53d10ba363ac", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fe19d9d1-a560-425d-a41a-a643199aa79b", + "created": "2026-04-22T20:33:11.987Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:33:11.987Z", + "relationship_type": "detects", + "source_ref": "x-mitre-detection-strategy--c4ddc0d7-0296-4d92-9ae1-1a4b7b5d1640", + "target_ref": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--fe22f626-ddf3-4d5e-97d1-058878d7830f.json b/ics-attack/relationship/relationship--fe22f626-ddf3-4d5e-97d1-058878d7830f.json index 1ebbff9cde..0240214dc3 100644 --- a/ics-attack/relationship/relationship--fe22f626-ddf3-4d5e-97d1-058878d7830f.json +++ b/ics-attack/relationship/relationship--fe22f626-ddf3-4d5e-97d1-058878d7830f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5d5f9237-1f95-4933-bb40-8171ca9b66ca", + "id": "bundle--4fec83d6-75ae-447b-8548-037be043d4ea", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--fe22f626-ddf3-4d5e-97d1-058878d7830f", "created": "2023-09-28T21:10:39.025Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:40.807Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", diff --git a/ics-attack/relationship/relationship--fe265dd7-2c1a-4c75-8aa8-12d0c82c7926.json b/ics-attack/relationship/relationship--fe265dd7-2c1a-4c75-8aa8-12d0c82c7926.json index fc61ee3e9d..c904824123 100644 --- a/ics-attack/relationship/relationship--fe265dd7-2c1a-4c75-8aa8-12d0c82c7926.json +++ b/ics-attack/relationship/relationship--fe265dd7-2c1a-4c75-8aa8-12d0c82c7926.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5aac4696-0c2c-4fd9-b919-89051dc0f51e", + "id": "bundle--0c981ae6-01b6-4149-8c29-953fb67a5f6c", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--fe265dd7-2c1a-4c75-8aa8-12d0c82c7926", "created": "2023-09-28T21:26:59.998Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:41.023Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--fe3bd9f0-2cdb-420d-88fa-352125bd7f28.json b/ics-attack/relationship/relationship--fe3bd9f0-2cdb-420d-88fa-352125bd7f28.json index c367a068fc..38bb6916f7 100644 --- a/ics-attack/relationship/relationship--fe3bd9f0-2cdb-420d-88fa-352125bd7f28.json +++ b/ics-attack/relationship/relationship--fe3bd9f0-2cdb-420d-88fa-352125bd7f28.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2f6f3e0a-a38c-47f8-abe2-42bb7d9f6e64", + "id": "bundle--b706212e-5066-454e-9faf-28d2f0dc0b4a", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--fe3bd9f0-2cdb-420d-88fa-352125bd7f28", "created": "2025-09-24T18:22:16.837Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--feb32f07-00f0-404f-920d-8891be40b655.json b/ics-attack/relationship/relationship--feb32f07-00f0-404f-920d-8891be40b655.json index 912d91f0a6..259c67e4d3 100644 --- a/ics-attack/relationship/relationship--feb32f07-00f0-404f-920d-8891be40b655.json +++ b/ics-attack/relationship/relationship--feb32f07-00f0-404f-920d-8891be40b655.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2e9ebbb2-cd10-46a1-8bab-01c5bc49005c", + "id": "bundle--110777a0-bce7-4aff-9447-7e1531e4d276", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--feb32f07-00f0-404f-920d-8891be40b655", "created": "2025-09-29T19:08:19.567Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], diff --git a/ics-attack/relationship/relationship--ff021e27-63be-41f4-bc4d-2ce75d8a3ecb.json b/ics-attack/relationship/relationship--ff021e27-63be-41f4-bc4d-2ce75d8a3ecb.json index 487408fc19..a117d025ca 100644 --- a/ics-attack/relationship/relationship--ff021e27-63be-41f4-bc4d-2ce75d8a3ecb.json +++ b/ics-attack/relationship/relationship--ff021e27-63be-41f4-bc4d-2ce75d8a3ecb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ccca75e3-e494-41ee-b9d0-3941e58b38bd", + "id": "bundle--7928fd60-a2d1-46c5-a62e-b0d866d4a214", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--ff021e27-63be-41f4-bc4d-2ce75d8a3ecb", "created": "2023-09-28T19:56:26.241Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:41.267Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", diff --git a/ics-attack/relationship/relationship--ff107632-751b-4efb-86bd-af670b48d35d.json b/ics-attack/relationship/relationship--ff107632-751b-4efb-86bd-af670b48d35d.json index 1482b396c1..4d2b6814f1 100644 --- a/ics-attack/relationship/relationship--ff107632-751b-4efb-86bd-af670b48d35d.json +++ b/ics-attack/relationship/relationship--ff107632-751b-4efb-86bd-af670b48d35d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--20b1c5fe-1a2b-41b6-aef4-3be15e3afcae", + "id": "bundle--523771e8-f5db-47f8-94b1-334a580ba147", "spec_version": "2.0", "objects": [ { @@ -8,12 +8,10 @@ "id": "relationship--ff107632-751b-4efb-86bd-af670b48d35d", "created": "2023-09-28T21:21:30.387Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2025-04-16T23:05:41.468Z", - "description": "", "relationship_type": "targets", "source_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", diff --git a/ics-attack/relationship/relationship--ff3f0668-98df-44c1-88c2-711f05720eb8.json b/ics-attack/relationship/relationship--ff3f0668-98df-44c1-88c2-711f05720eb8.json index be8dff3c1c..4e2e3acf06 100644 --- a/ics-attack/relationship/relationship--ff3f0668-98df-44c1-88c2-711f05720eb8.json +++ b/ics-attack/relationship/relationship--ff3f0668-98df-44c1-88c2-711f05720eb8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2b703024-6ace-4443-ac62-3c812815879b", + "id": "bundle--b37ac651-666c-4fe1-8b5f-d8afc421b5b9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b.json b/ics-attack/relationship/relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b.json index 287f324d06..7fa195d1a7 100644 --- a/ics-attack/relationship/relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b.json +++ b/ics-attack/relationship/relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a848d755-70ca-4090-bfdb-55ce8aa17bd4", + "id": "bundle--eab79530-61e9-4c8c-a2f7-5cf4950ac80c", "spec_version": "2.0", "objects": [ { @@ -8,7 +8,6 @@ "id": "relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b", "created": "2017-05-31T21:33:27.074Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "external_references": [ { "source_name": "Joe Slowik April 2019", diff --git a/ics-attack/relationship/relationship--ffd2ae1d-6c1d-4d27-8cf0-bc745100bba7.json b/ics-attack/relationship/relationship--ffd2ae1d-6c1d-4d27-8cf0-bc745100bba7.json new file mode 100644 index 0000000000..4fc0d73ed3 --- /dev/null +++ b/ics-attack/relationship/relationship--ffd2ae1d-6c1d-4d27-8cf0-bc745100bba7.json @@ -0,0 +1,24 @@ +{ + "type": "bundle", + "id": "bundle--faeff474-0b22-4611-aa96-917db9194a9e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ffd2ae1d-6c1d-4d27-8cf0-bc745100bba7", + "created": "2026-04-22T20:38:50.866Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-22T20:38:50.866Z", + "relationship_type": "targets", + "source_ref": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91", + "target_ref": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_attack_spec_version": "3.3.0" + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--0099659c-6a20-4331-9d47-b1c0c380fd6b.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--0099659c-6a20-4331-9d47-b1c0c380fd6b.json index 650cb31f7d..fd36826efa 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--0099659c-6a20-4331-9d47-b1c0c380fd6b.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--0099659c-6a20-4331-9d47-b1c0c380fd6b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--72608fb4-5617-4a57-87c7-5ca9b9b412a1", + "id": "bundle--ff3803a6-f946-4ccf-9b92-f04aecbbf017", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--058d856a-6356-402f-b3ff-a7c1b6186921.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--058d856a-6356-402f-b3ff-a7c1b6186921.json index 10c165aedd..103276abc5 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--058d856a-6356-402f-b3ff-a7c1b6186921.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--058d856a-6356-402f-b3ff-a7c1b6186921.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--461b19cb-92ae-43e1-b2a2-14ca6ff2405f", + "id": "bundle--bbb6d33d-6827-47e8-8dda-55c0fd6fdae6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--05ca4f07-df4f-4e88-b216-f40ca6ce39b8.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--05ca4f07-df4f-4e88-b216-f40ca6ce39b8.json index fc1f81e674..00731ccb36 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--05ca4f07-df4f-4e88-b216-f40ca6ce39b8.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--05ca4f07-df4f-4e88-b216-f40ca6ce39b8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f59748da-b542-4f19-b518-720550eca5ef", + "id": "bundle--0e3f333b-7c0f-4eb1-828a-570cfc1418e1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--0b4e7cfa-9f9d-49b0-b5bf-afdf62058c5a.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--0b4e7cfa-9f9d-49b0-b5bf-afdf62058c5a.json new file mode 100644 index 0000000000..a49b265061 --- /dev/null +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--0b4e7cfa-9f9d-49b0-b5bf-afdf62058c5a.json @@ -0,0 +1,64 @@ +{ + "type": "bundle", + "id": "bundle--37b10203-d7a1-44ff-baa5-1082c89aa72d", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--0b4e7cfa-9f9d-49b0-b5bf-afdf62058c5a", + "created": "2026-04-22T22:55:44.526Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0912#AN2055", + "external_id": "AN2055" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:33:52.139Z", + "name": "Analytic 2055", + "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist, alarms may still be visible even if Wi-Fi messages are blocked.\n\nMonitor for a loss of network communications, which may indicate this technique is being used.\n\nMonitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.\n\nMonitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.\n\nMonitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.\n", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "name": "Operational Databases", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "name": "Network Traffic", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "name": "Databases", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "name": "Application Log", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "name": "Process", + "channel": "None" + } + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--1017530e-423d-4857-80b6-99891bf82d28.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--1017530e-423d-4857-80b6-99891bf82d28.json new file mode 100644 index 0000000000..fb6c898506 --- /dev/null +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--1017530e-423d-4857-80b6-99891bf82d28.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--abdab908-941b-40cc-89e6-e9f3005f0405", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--1017530e-423d-4857-80b6-99891bf82d28", + "created": "2026-04-22T16:28:31.400Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0905#AN2048", + "external_id": "AN2048" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:33:52.442Z", + "name": "Analytic 2048", + "description": "Monitor network traffic for insecure credential use in protocols that allow unencrypted authentication.\n\nMonitor logon sessions for insecure credential use, when feasible.\n", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "name": "Network Traffic", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", + "name": "Logon Session", + "channel": "None" + } + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--11a350cf-1ea0-4065-877b-c3bb410bf3a0.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--11a350cf-1ea0-4065-877b-c3bb410bf3a0.json index 6da09801a4..ee31756867 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--11a350cf-1ea0-4065-877b-c3bb410bf3a0.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--11a350cf-1ea0-4065-877b-c3bb410bf3a0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ff6edd4c-5110-43b1-9add-cc882c5810f2", + "id": "bundle--6ba2af73-eb6f-444a-93ab-e3127a73b918", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--1672d2e3-8756-4380-b22c-517aa9f1cce0.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--1672d2e3-8756-4380-b22c-517aa9f1cce0.json index 7fc27f7631..afd84c2161 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--1672d2e3-8756-4380-b22c-517aa9f1cce0.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--1672d2e3-8756-4380-b22c-517aa9f1cce0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--18872dbd-189f-40e1-82b7-2c614c83ffa5", + "id": "bundle--762cfe83-6789-43b1-99a4-ba7c84e4d417", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--1be515a0-2656-4b35-a561-e8157169350d.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--1be515a0-2656-4b35-a561-e8157169350d.json index 5e08fbd5a4..d0cda9de1e 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--1be515a0-2656-4b35-a561-e8157169350d.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--1be515a0-2656-4b35-a561-e8157169350d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6658d66f-c6d1-4ebf-8ac2-fdf9f48d39bb", + "id": "bundle--562d6009-a9f0-494b-ba5c-45c75e844223", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--1e9c5d46-14e2-4efc-8861-e6dc942b3b9c.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--1e9c5d46-14e2-4efc-8861-e6dc942b3b9c.json index 173a6e08a6..fc3dff2a87 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--1e9c5d46-14e2-4efc-8861-e6dc942b3b9c.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--1e9c5d46-14e2-4efc-8861-e6dc942b3b9c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7d14a5e6-5eda-40d7-8f23-fb04b588f2fb", + "id": "bundle--dd84c688-deb7-4c8d-9687-269cf733ece8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--2195ec67-7cea-4b0d-a678-18384089bf2c.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--2195ec67-7cea-4b0d-a678-18384089bf2c.json index 98c5568178..c819d75b34 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--2195ec67-7cea-4b0d-a678-18384089bf2c.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--2195ec67-7cea-4b0d-a678-18384089bf2c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ec5c4671-647c-432c-a2e5-98c90dc38321", + "id": "bundle--7e7713fc-6604-42d1-91c5-f618e26f65b3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--22b202f2-d4dd-44dd-b5e1-791ff2aef8ed.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--22b202f2-d4dd-44dd-b5e1-791ff2aef8ed.json new file mode 100644 index 0000000000..d769b3cfd5 --- /dev/null +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--22b202f2-d4dd-44dd-b5e1-791ff2aef8ed.json @@ -0,0 +1,59 @@ +{ + "type": "bundle", + "id": "bundle--5ecc42d6-7a8a-428a-823e-db98ce8c79a7", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--22b202f2-d4dd-44dd-b5e1-791ff2aef8ed", + "created": "2026-04-23T00:42:36.732Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0915#AN2058", + "external_id": "AN2058" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:33:53.216Z", + "name": "Analytic 2058", + "description": "Monitor device alarms for program downloads, although not all devices produce such alarms.\n\nMonitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols.\n\nConsult asset management systems to understand expected program versions.\n\nMonitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.\n", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "name": "Operational Databases", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "name": "Traffic", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", + "name": "Asset", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "name": "Application Log", + "channel": "None" + } + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--2388dc31-ba9a-4c12-b4b9-28bbc981c73e.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--2388dc31-ba9a-4c12-b4b9-28bbc981c73e.json index ab312e2b5d..fc340bbf85 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--2388dc31-ba9a-4c12-b4b9-28bbc981c73e.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--2388dc31-ba9a-4c12-b4b9-28bbc981c73e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--98946d43-0bf1-4f9b-947b-a0362ef52e9b", + "id": "bundle--c4d7c518-b047-49ef-8f75-dfcef792ad93", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--23ce0ac3-6afe-4647-be72-e1e9bcd1490e.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--23ce0ac3-6afe-4647-be72-e1e9bcd1490e.json index 2b745fc774..7031d49717 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--23ce0ac3-6afe-4647-be72-e1e9bcd1490e.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--23ce0ac3-6afe-4647-be72-e1e9bcd1490e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f60dc438-9d36-4e95-a1f2-ae76292a57e7", + "id": "bundle--7f67bfd5-7d9b-475d-9d61-f133ac3b54ec", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--23eb2bc3-735d-4425-96e1-f9d3a1453bfa.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--23eb2bc3-735d-4425-96e1-f9d3a1453bfa.json index 00af926b54..5e3fb3c1b9 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--23eb2bc3-735d-4425-96e1-f9d3a1453bfa.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--23eb2bc3-735d-4425-96e1-f9d3a1453bfa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--aa520d1e-58ef-496c-b14d-bf2385a670ff", + "id": "bundle--60f1f0f9-c7ec-4694-a9b7-59e90e9933a2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--28eb77c1-1834-4b7a-a06f-afebb7f2e756.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--28eb77c1-1834-4b7a-a06f-afebb7f2e756.json index 82323192dd..ef9af8b575 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--28eb77c1-1834-4b7a-a06f-afebb7f2e756.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--28eb77c1-1834-4b7a-a06f-afebb7f2e756.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9070dc63-ba53-40ff-b49f-34ee30cdd7fa", + "id": "bundle--aaf67df5-9bf7-473d-a162-189ff3633e61", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--29b6e4b8-878c-4139-aa56-7e1513714d34.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--29b6e4b8-878c-4139-aa56-7e1513714d34.json index c3141b99cc..03f811591b 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--29b6e4b8-878c-4139-aa56-7e1513714d34.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--29b6e4b8-878c-4139-aa56-7e1513714d34.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--64ad8e2a-c4ee-4b85-b8ef-c4ba96acbc68", + "id": "bundle--30397167-1088-4dc6-8b6b-85b520042200", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--302a5327-70cf-44b5-b592-ce9a62014dcc.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--302a5327-70cf-44b5-b592-ce9a62014dcc.json index 9907260681..44fea99c3c 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--302a5327-70cf-44b5-b592-ce9a62014dcc.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--302a5327-70cf-44b5-b592-ce9a62014dcc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--adb11843-5c91-4e16-aaba-d0efea006706", + "id": "bundle--b7ff9606-aee9-4cf8-9d50-99fbfad136be", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--322ac45b-d540-4d2a-84a1-cde200238b95.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--322ac45b-d540-4d2a-84a1-cde200238b95.json index 46e539f6a1..251be5dee3 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--322ac45b-d540-4d2a-84a1-cde200238b95.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--322ac45b-d540-4d2a-84a1-cde200238b95.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--47cba1c7-4005-46ce-8879-9590e7bdb0db", + "id": "bundle--d332e73d-181c-40e0-a7f7-87908a541b0e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--32bfb2ab-2ad1-4c00-8428-96bc626c34f3.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--32bfb2ab-2ad1-4c00-8428-96bc626c34f3.json index b5f3abc77e..933ef8f311 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--32bfb2ab-2ad1-4c00-8428-96bc626c34f3.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--32bfb2ab-2ad1-4c00-8428-96bc626c34f3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--700097fd-2087-43c1-964f-3b8aaa8ee9ed", + "id": "bundle--44fefbb3-e11c-4518-8888-d7c933cc61a7", "spec_version": "2.0", "objects": [ { @@ -20,7 +20,7 @@ ], "modified": "2025-10-21T15:10:28.402Z", "name": "Analytic 1879", - "description": "Various techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity which may precede this technique.\nMonitor asset logs for alarms or other information the adversary is unable to directly suppress. Relevant alarms include those from a loss of communications due to [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.\nVarious techniques enable spoofing a reporting message. Monitor for LLMNR/NBT-NS poisoning via new services/daemons which may be used to enable this technique. For added context on adversary procedures and background see [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001).\nSpoofed reporting messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Spoofed messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for many benign reasons. Monitor reporting messages for changes in how they are constructed.\n\nVarious techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.", + "description": "Various techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity which may precede this technique.\nMonitor asset logs for alarms or other information the adversary is unable to directly suppress. Relevant alarms include those from a loss of communications due to [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.\nVarious techniques enable spoofing a reporting message. Monitor for LLMNR/NBT-NS poisoning via new services/daemons which may be used to enable this technique. For added context on adversary procedures and background see [Name Resolution Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001).\nSpoofed reporting messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Spoofed messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for many benign reasons. Monitor reporting messages for changes in how they are constructed.\n\nVarious techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.3.0", diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--32db74f9-d46d-4728-891a-113a8b8e2b07.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--32db74f9-d46d-4728-891a-113a8b8e2b07.json index 5db3183646..b98253a885 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--32db74f9-d46d-4728-891a-113a8b8e2b07.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--32db74f9-d46d-4728-891a-113a8b8e2b07.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--291017e1-88ab-4a59-9815-53772c3ee794", + "id": "bundle--8b3f776c-817f-429d-a86a-b0588eceb5bf", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--330166da-bc80-4aca-bd41-cbd6b1742812.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--330166da-bc80-4aca-bd41-cbd6b1742812.json index 48cf003d77..16037a81d3 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--330166da-bc80-4aca-bd41-cbd6b1742812.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--330166da-bc80-4aca-bd41-cbd6b1742812.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fb446479-08f4-43d3-a518-0be5ecafa082", + "id": "bundle--99bfaf67-b6bb-4c4d-b566-f045bb1e7bc2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--354b93da-06e9-4634-a5fd-7f9b7b3a9d5a.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--354b93da-06e9-4634-a5fd-7f9b7b3a9d5a.json index 59314514b8..190726f803 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--354b93da-06e9-4634-a5fd-7f9b7b3a9d5a.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--354b93da-06e9-4634-a5fd-7f9b7b3a9d5a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c0a77ea5-4be6-4264-95cb-deb815f4499f", + "id": "bundle--fa4c37f4-1008-46fa-87e3-da41cbf34453", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--37d989e6-14cd-49a4-adec-3d8b72c8dc22.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--37d989e6-14cd-49a4-adec-3d8b72c8dc22.json index fb54438724..ecb95b7b87 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--37d989e6-14cd-49a4-adec-3d8b72c8dc22.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--37d989e6-14cd-49a4-adec-3d8b72c8dc22.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a5607e5f-244c-479e-8ec6-8212dd7560c2", + "id": "bundle--f43dca48-a905-4024-b75e-71486a604a6a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--383a1a1c-8ecf-4909-9237-14a1f4fc4179.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--383a1a1c-8ecf-4909-9237-14a1f4fc4179.json index a302b94af3..c1c4657600 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--383a1a1c-8ecf-4909-9237-14a1f4fc4179.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--383a1a1c-8ecf-4909-9237-14a1f4fc4179.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4f54b2fc-42e6-4419-90b5-ca3ee64caa12", + "id": "bundle--f7078275-cd05-4f07-a4f7-2bb90d346343", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--393d7e7b-0790-49e7-9bcd-87ab4662b05e.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--393d7e7b-0790-49e7-9bcd-87ab4662b05e.json index a6ae931229..6e7c0447fd 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--393d7e7b-0790-49e7-9bcd-87ab4662b05e.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--393d7e7b-0790-49e7-9bcd-87ab4662b05e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f780bd95-ff42-49ad-ab76-a48a18e30389", + "id": "bundle--a16eaf6e-d5d5-45bc-9643-828c98759ca2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--3c6a21cb-8643-41bc-94a1-e860b02a1cad.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--3c6a21cb-8643-41bc-94a1-e860b02a1cad.json index ff5ead204d..2324e243e5 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--3c6a21cb-8643-41bc-94a1-e860b02a1cad.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--3c6a21cb-8643-41bc-94a1-e860b02a1cad.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f8dfa8fd-1388-4aa5-ad5b-a6a10c40d49c", + "id": "bundle--32e30b27-e447-4b8f-b501-0be160cea1b8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--3c6aa6f7-29e9-41d9-8500-30b6d0533d64.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--3c6aa6f7-29e9-41d9-8500-30b6d0533d64.json new file mode 100644 index 0000000000..881279a57e --- /dev/null +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--3c6aa6f7-29e9-41d9-8500-30b6d0533d64.json @@ -0,0 +1,59 @@ +{ + "type": "bundle", + "id": "bundle--31183b89-dd12-4799-9f3e-5d91b7029594", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--3c6aa6f7-29e9-41d9-8500-30b6d0533d64", + "created": "2026-04-23T00:31:46.350Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0914#AN2057", + "external_id": "AN2057" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:33:55.025Z", + "name": "Analytic 2057", + "description": "Monitor device alarms for program downloads, although not all devices produce such alarms.\n\nMonitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols.\n\nConsult asset management systems to understand expected program versions.\n\nMonitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.\n", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "name": "Operational Databases", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "name": "Traffic", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", + "name": "Asset", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "name": "Application Log", + "channel": "None" + } + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--3e456d4d-397d-4e04-9261-9399960c9633.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--3e456d4d-397d-4e04-9261-9399960c9633.json index 4a19ba146e..821db5f362 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--3e456d4d-397d-4e04-9261-9399960c9633.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--3e456d4d-397d-4e04-9261-9399960c9633.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b6d457ed-097d-41e4-8592-9262fda31d0a", + "id": "bundle--bee80792-ab73-4b02-804c-cbd11a53f736", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--3f052beb-d384-4ebe-b942-2c4ddeb95833.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--3f052beb-d384-4ebe-b942-2c4ddeb95833.json new file mode 100644 index 0000000000..a0f8ae689c --- /dev/null +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--3f052beb-d384-4ebe-b942-2c4ddeb95833.json @@ -0,0 +1,64 @@ +{ + "type": "bundle", + "id": "bundle--bf7e1342-e43f-4e6d-962a-b1f3620312a0", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--3f052beb-d384-4ebe-b942-2c4ddeb95833", + "created": "2026-04-22T21:47:06.445Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0910#AN2053", + "external_id": "AN2053" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:33:55.408Z", + "name": "Analytic 2053", + "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist, alarms may still be visible even if messages are blocked.\n\nMonitor for a loss of network communications, which may indicate this technique is being used.\n\nMonitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique\u2019s execution but instead may provide additional evidence that the technique has been used and may complement other detections.\n\nMonitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.\n\nMonitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.\n", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "name": "Operational Databases", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "name": "Network Traffic", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "name": "Databases", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "name": "Application Log", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "name": "Process", + "channel": "None" + } + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--3f10ffe9-fa73-4aeb-bf98-322831bf757f.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--3f10ffe9-fa73-4aeb-bf98-322831bf757f.json index 4d0d37c7e6..4fef9d7bdc 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--3f10ffe9-fa73-4aeb-bf98-322831bf757f.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--3f10ffe9-fa73-4aeb-bf98-322831bf757f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e74dcbc1-2daa-465f-abf4-e5795a7a0710", + "id": "bundle--232d8e1f-7171-4d7b-bde5-fc62dcb35c7d", "spec_version": "2.0", "objects": [ { @@ -8,6 +8,7 @@ "id": "x-mitre-analytic--3f10ffe9-fa73-4aeb-bf98-322831bf757f", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -38,11 +39,12 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T15:10:28.402Z", + "modified": "2026-04-24T20:33:55.812Z", "name": "Analytic 1864", - "description": "Monitor for firmware changes which may be observable via operational alarms from devices.\nMonitor device application logs for firmware changes, although not all devices will produce such logs.\nMonitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)\nMonitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.", + "description": "Monitor for firmware changes which may be observable via operational alarms from devices.\nMonitor device application logs for firmware changes, although not all devices will produce such logs.\nMonitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog)(Citation: Github CHIPSEC)(Citation: Intel HackingTeam UEFI Rootkit)\nMonitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "ics-attack" @@ -71,8 +73,7 @@ "name": "Network Traffic", "channel": "None" } - ], - "x_mitre_deprecated": false + ] } ] } \ No newline at end of file diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--484023ea-6fea-4f91-b40d-c6d87188cbfe.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--484023ea-6fea-4f91-b40d-c6d87188cbfe.json index e5d963354d..8ed161c886 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--484023ea-6fea-4f91-b40d-c6d87188cbfe.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--484023ea-6fea-4f91-b40d-c6d87188cbfe.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ab599f12-f8e5-4156-8140-ab48e11f82e6", + "id": "bundle--96b6feb6-25fd-4547-bada-1ce45fe3b69f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--48d2023b-469d-4f9f-a4e6-010be72436b9.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--48d2023b-469d-4f9f-a4e6-010be72436b9.json index bf842423a5..e3da95f1ae 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--48d2023b-469d-4f9f-a4e6-010be72436b9.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--48d2023b-469d-4f9f-a4e6-010be72436b9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d2730c86-ec3e-4e33-b97a-cc92438f6f55", + "id": "bundle--bee1c37d-b73d-40f7-82ce-3c654545fc91", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--51a094bf-b7eb-452a-9b7a-ffac16fce1ac.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--51a094bf-b7eb-452a-9b7a-ffac16fce1ac.json new file mode 100644 index 0000000000..09bd53a109 --- /dev/null +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--51a094bf-b7eb-452a-9b7a-ffac16fce1ac.json @@ -0,0 +1,59 @@ +{ + "type": "bundle", + "id": "bundle--c1baf5c7-e58d-4c31-aaaf-caef3f419f4c", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--51a094bf-b7eb-452a-9b7a-ffac16fce1ac", + "created": "2026-04-22T18:49:31.209Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0907#AN2050", + "external_id": "AN2050" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:33:56.263Z", + "name": "Analytic 2050", + "description": "Monitor for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.\n\nMonitor for hosts enumerating network connected resources using non-ICS enterprise protocols. \n", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "name": "Network Traffic", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "name": "Traffic", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "name": "Process", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", + "name": "Network", + "channel": "None" + } + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--55544bb8-440f-4b67-aa35-7e7af5952aca.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--55544bb8-440f-4b67-aa35-7e7af5952aca.json index 3931ab517c..9daf2e3fe0 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--55544bb8-440f-4b67-aa35-7e7af5952aca.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--55544bb8-440f-4b67-aa35-7e7af5952aca.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a5eabc76-c745-42a6-850e-d93fc57bf162", + "id": "bundle--81176753-902f-49ce-a41f-03abf5a91caa", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--5610211c-1458-4333-8640-384189d9318e.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--5610211c-1458-4333-8640-384189d9318e.json index f7471d75c5..834bbc5653 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--5610211c-1458-4333-8640-384189d9318e.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--5610211c-1458-4333-8640-384189d9318e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--54a361d3-4ca1-4658-b100-d111cadb8726", + "id": "bundle--e44c4991-2632-4853-b092-0c222eaed6d6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--613b28ef-88dd-4008-8d7e-206ce55a7cde.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--613b28ef-88dd-4008-8d7e-206ce55a7cde.json new file mode 100644 index 0000000000..f2f406bfcb --- /dev/null +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--613b28ef-88dd-4008-8d7e-206ce55a7cde.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--66cad171-2feb-4a86-bc86-a21918ac341f", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--613b28ef-88dd-4008-8d7e-206ce55a7cde", + "created": "2026-04-22T14:53:50.597Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0902#AN2045", + "external_id": "AN2045" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:33:56.808Z", + "name": "Analytic 2045", + "description": "Unauthorized messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Unauthorized messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for benign reasons. Monitor messages for changes in how they are constructed.\n\nMonitor for anomalous or unexpected messages that may result in changes to the process operation observable via asset application logs (e.g., discrete write, logic and device configuration, mode changes, safety triggers).\n\nConsider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity which may precede this technique.\n", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "name": "Network Traffic", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "name": "Traffic", + "channel": "None" + } + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--636e612f-0b63-44e8-bf2c-31b62d20508b.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--636e612f-0b63-44e8-bf2c-31b62d20508b.json index b08f4674d7..9545b7f005 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--636e612f-0b63-44e8-bf2c-31b62d20508b.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--636e612f-0b63-44e8-bf2c-31b62d20508b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0df78bfd-9da1-4f67-9ec9-b795a59472e1", + "id": "bundle--b6068181-cc08-4195-9b54-71f4ac181d35", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--66070162-d51e-46e7-8d32-2140fd5e7086.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--66070162-d51e-46e7-8d32-2140fd5e7086.json index 3f6f72b59a..d5eedf50db 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--66070162-d51e-46e7-8d32-2140fd5e7086.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--66070162-d51e-46e7-8d32-2140fd5e7086.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b1d621b9-818d-4f3b-8044-8e2f8eceef86", + "id": "bundle--b84d3fc1-974d-49e8-90a2-618d979a24f5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--67861309-0ba7-4713-843e-3def87e396ec.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--67861309-0ba7-4713-843e-3def87e396ec.json new file mode 100644 index 0000000000..448f7ac7ad --- /dev/null +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--67861309-0ba7-4713-843e-3def87e396ec.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--a33d323d-428e-4b8b-ac0c-52b94172d10e", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--67861309-0ba7-4713-843e-3def87e396ec", + "created": "2026-04-22T20:45:49.233Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0909#AN2052", + "external_id": "AN2052" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:33:57.256Z", + "name": "Analytic 2052", + "description": "Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations.\n\nMonitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM). For added context on adversary enterprise procedures and background see [Remote System Discovery](https://attack.mitre.org/techniques/T1018).\n", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "name": "Traffic", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "name": "Network Traffic", + "channel": "None" + } + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--68073351-4e4f-40e4-9394-a9166bb346d7.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--68073351-4e4f-40e4-9394-a9166bb346d7.json index acd4651dc6..4f5a16cdac 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--68073351-4e4f-40e4-9394-a9166bb346d7.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--68073351-4e4f-40e4-9394-a9166bb346d7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f203d254-5041-4b70-a47c-69792f341f14", + "id": "bundle--87b087d8-e2c2-4db1-8ed5-538d6345b706", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--6a510bf0-0289-4eb0-8645-89f0f4d32cf3.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--6a510bf0-0289-4eb0-8645-89f0f4d32cf3.json new file mode 100644 index 0000000000..b620671f12 --- /dev/null +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--6a510bf0-0289-4eb0-8645-89f0f4d32cf3.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--6092d5f6-f56c-4a28-82d7-36f9385eb6d3", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--6a510bf0-0289-4eb0-8645-89f0f4d32cf3", + "created": "2026-04-22T17:53:18.908Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0906#AN2049", + "external_id": "AN2049" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:33:57.629Z", + "name": "Analytic 2049", + "description": "Monitor for unexpected changes to project files, although if the malicious modification occurs in tandem with legitimate changes it will be difficult to isolate the unintended changes by analyzing only file systems modifications.", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", + "name": "File", + "channel": "None" + } + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--6b3b3e92-bef7-4977-9895-29036bab29f1.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--6b3b3e92-bef7-4977-9895-29036bab29f1.json index 20ad73635c..6ee0f07e4b 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--6b3b3e92-bef7-4977-9895-29036bab29f1.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--6b3b3e92-bef7-4977-9895-29036bab29f1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f0b74085-823a-41b7-ab0d-6414dbc04001", + "id": "bundle--959a1bcd-6e57-441d-85ab-bf4d96bf8121", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--6e046c4c-6c93-4fdf-a69e-5d81b52d1e9c.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--6e046c4c-6c93-4fdf-a69e-5d81b52d1e9c.json index d4559ac8a1..1e4bff4262 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--6e046c4c-6c93-4fdf-a69e-5d81b52d1e9c.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--6e046c4c-6c93-4fdf-a69e-5d81b52d1e9c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--73391828-2f33-4189-ba9f-ce65a2ada5ac", + "id": "bundle--55219daa-2daa-4de8-aa44-b5cbb9b0c2bb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--7107739b-92d2-41fa-9fc8-ebe72f6086ee.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--7107739b-92d2-41fa-9fc8-ebe72f6086ee.json index 0bf080f70d..1bcb5ccdfa 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--7107739b-92d2-41fa-9fc8-ebe72f6086ee.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--7107739b-92d2-41fa-9fc8-ebe72f6086ee.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3869a036-dbe9-4ef7-bd5c-59b5a7b8f8cd", + "id": "bundle--8c7e4743-47ec-4024-a423-d856655b5ac1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--77857bc3-6a38-4826-8109-30facf6c23ec.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--77857bc3-6a38-4826-8109-30facf6c23ec.json index 2347b1531c..8ca785e72f 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--77857bc3-6a38-4826-8109-30facf6c23ec.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--77857bc3-6a38-4826-8109-30facf6c23ec.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2e0db369-f894-4057-8f81-f3599765863d", + "id": "bundle--8ffd395d-5003-4c5a-a602-6a5e174814ba", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--7841eb6b-8a05-4754-b738-a475bfbb89fb.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--7841eb6b-8a05-4754-b738-a475bfbb89fb.json index 15ae33e452..8ffa779ed5 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--7841eb6b-8a05-4754-b738-a475bfbb89fb.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--7841eb6b-8a05-4754-b738-a475bfbb89fb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8ba7680e-c50f-4272-a278-f6418800d9e2", + "id": "bundle--4da08ccd-cd77-40cd-b02a-67db7735435d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--78615cd7-6a14-4921-aaa9-2aae0774f0f1.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--78615cd7-6a14-4921-aaa9-2aae0774f0f1.json index 503f881282..0d6936aa5a 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--78615cd7-6a14-4921-aaa9-2aae0774f0f1.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--78615cd7-6a14-4921-aaa9-2aae0774f0f1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f633697c-04a3-40c8-b13b-6cb170b165b3", + "id": "bundle--83453ddd-8e53-4a36-ae93-3af6ccb25d0e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--791310ad-7db5-41df-9fa5-fa4097d8a51d.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--791310ad-7db5-41df-9fa5-fa4097d8a51d.json index 97d3c7d1bf..9801ba08c1 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--791310ad-7db5-41df-9fa5-fa4097d8a51d.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--791310ad-7db5-41df-9fa5-fa4097d8a51d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1179ac68-cdcc-4554-a5ae-6a81624df9ec", + "id": "bundle--e8ffbe12-c993-421a-9b59-0cdcbf0caf1c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--7aa60595-5a1c-4de2-be60-cc1f9fea2313.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--7aa60595-5a1c-4de2-be60-cc1f9fea2313.json index 9659785db5..08306d78a3 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--7aa60595-5a1c-4de2-be60-cc1f9fea2313.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--7aa60595-5a1c-4de2-be60-cc1f9fea2313.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6e4183b2-2b2d-4e5b-823f-9dfece8b0f0f", + "id": "bundle--642e4606-dd27-4cb2-9d07-40d692bcd0ee", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--7ec4b791-7054-442f-8967-6d6fa5e8678b.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--7ec4b791-7054-442f-8967-6d6fa5e8678b.json index e7ea0cac29..8b2141e892 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--7ec4b791-7054-442f-8967-6d6fa5e8678b.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--7ec4b791-7054-442f-8967-6d6fa5e8678b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--726d9026-6897-4ac6-bff5-4e91ab79ebb8", + "id": "bundle--4147a4db-7b7c-400c-a584-ca3bc7f3a467", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--8428e0cd-009e-41c1-8292-88651d4486c9.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--8428e0cd-009e-41c1-8292-88651d4486c9.json index 91d7820d21..77dd075f45 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--8428e0cd-009e-41c1-8292-88651d4486c9.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--8428e0cd-009e-41c1-8292-88651d4486c9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--63ca5035-df28-45dc-9edd-2b7c44ab7fed", + "id": "bundle--adb113a0-a0f2-4371-8b1c-9db4bf953b2e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--87f5d864-d79b-474a-a3b4-43673dcb9f90.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--87f5d864-d79b-474a-a3b4-43673dcb9f90.json index 783b859cb9..caccebf01e 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--87f5d864-d79b-474a-a3b4-43673dcb9f90.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--87f5d864-d79b-474a-a3b4-43673dcb9f90.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f58c5fcf-b220-45b6-a3c7-9fae20473ae5", + "id": "bundle--529173e1-1230-454e-aa32-6781a285f96b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--880a1133-6639-42f0-96a8-3e914426d38b.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--880a1133-6639-42f0-96a8-3e914426d38b.json index 39b47df4dd..15a81065d2 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--880a1133-6639-42f0-96a8-3e914426d38b.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--880a1133-6639-42f0-96a8-3e914426d38b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7879deec-cbde-47f2-a24d-d7a583393fb1", + "id": "bundle--f372b599-8ec4-4b70-9eaa-53bac57ca2aa", "spec_version": "2.0", "objects": [ { @@ -8,6 +8,7 @@ "id": "x-mitre-analytic--880a1133-6639-42f0-96a8-3e914426d38b", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -38,11 +39,12 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T15:10:28.402Z", + "modified": "2026-04-24T20:33:58.916Z", "name": "Analytic 1922", - "description": "Monitor for firmware changes which may be observable via operational alarms from devices.\nMonitor device application logs for firmware changes, although not all devices will produce such logs.\nMonitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.\nMonitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)", + "description": "Monitor for firmware changes which may be observable via operational alarms from devices.\nMonitor device application logs for firmware changes, although not all devices will produce such logs.\nMonitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.\nMonitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog)(Citation: Github CHIPSEC)(Citation: Intel HackingTeam UEFI Rootkit)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_domains": [ "ics-attack" @@ -71,8 +73,7 @@ "name": "Firmware", "channel": "None" } - ], - "x_mitre_deprecated": false + ] } ] } \ No newline at end of file diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--882f2365-4c14-4c48-8eef-2a7c293c8569.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--882f2365-4c14-4c48-8eef-2a7c293c8569.json index 3d43c69286..298145726b 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--882f2365-4c14-4c48-8eef-2a7c293c8569.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--882f2365-4c14-4c48-8eef-2a7c293c8569.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2b68685e-9208-474c-bd34-c35a39d851d0", + "id": "bundle--d3fbcee7-d815-4f08-b677-4e52c733b3d7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--899d0dce-64f7-4924-93a1-8e3c83dd510f.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--899d0dce-64f7-4924-93a1-8e3c83dd510f.json index a870afdfc6..ca3d22977d 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--899d0dce-64f7-4924-93a1-8e3c83dd510f.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--899d0dce-64f7-4924-93a1-8e3c83dd510f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d142ae30-a072-4bba-bea2-2483c0cc7106", + "id": "bundle--69594e3a-59b4-4ad4-bdc4-89e6c7a3c5e3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--899d41e8-8d02-45f9-ab8a-3a06f4cc4189.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--899d41e8-8d02-45f9-ab8a-3a06f4cc4189.json index e2ada5ce0e..997c7278f3 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--899d41e8-8d02-45f9-ab8a-3a06f4cc4189.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--899d41e8-8d02-45f9-ab8a-3a06f4cc4189.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5d701ae2-7eb0-4918-a069-82a80122945c", + "id": "bundle--9958d295-1ec6-4f03-b265-c81aae5b9a18", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--89ca8617-20fd-404b-9afb-dcfd2684a791.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--89ca8617-20fd-404b-9afb-dcfd2684a791.json index 30ee2192dd..21237dc845 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--89ca8617-20fd-404b-9afb-dcfd2684a791.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--89ca8617-20fd-404b-9afb-dcfd2684a791.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1f0b8ca4-fb98-486e-b923-102507281e27", + "id": "bundle--90c684a7-7825-436e-b138-b4d4370d229e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--8c77f31f-c6f4-491c-965a-e25c506b0c68.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--8c77f31f-c6f4-491c-965a-e25c506b0c68.json index f6acb60f0b..cb3002929b 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--8c77f31f-c6f4-491c-965a-e25c506b0c68.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--8c77f31f-c6f4-491c-965a-e25c506b0c68.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--40dcd65e-894a-4001-9e3e-c4a6084351ca", + "id": "bundle--da16d46c-a85f-4617-8c82-120bed1891b8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--908fe88b-d8e2-47d1-b6a4-7a42b3bbe09b.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--908fe88b-d8e2-47d1-b6a4-7a42b3bbe09b.json index 41561aef4b..a21bc67718 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--908fe88b-d8e2-47d1-b6a4-7a42b3bbe09b.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--908fe88b-d8e2-47d1-b6a4-7a42b3bbe09b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c97fd147-c8dc-4100-8d5e-da94725e3386", + "id": "bundle--51692b29-3451-44c1-87d8-ba448cee612a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--9127dd4e-0994-442f-8d73-b6b2dfb1f9ac.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--9127dd4e-0994-442f-8d73-b6b2dfb1f9ac.json index 1e8ac3f20c..13ac7e4650 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--9127dd4e-0994-442f-8d73-b6b2dfb1f9ac.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--9127dd4e-0994-442f-8d73-b6b2dfb1f9ac.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b20cd901-dcfb-4c65-bee5-9d8675982757", + "id": "bundle--83fb0c3f-6f7e-4b31-bd37-10284d482380", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--930aae7c-e8f0-4594-8e3f-f0e71d7e1640.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--930aae7c-e8f0-4594-8e3f-f0e71d7e1640.json index eb11a8f860..d06812eeff 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--930aae7c-e8f0-4594-8e3f-f0e71d7e1640.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--930aae7c-e8f0-4594-8e3f-f0e71d7e1640.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--68c49a31-cae9-4419-be14-0a415818a8e4", + "id": "bundle--dfcdc837-bec7-44f1-80f6-a282d65d1544", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--96e7b86f-b960-489c-882b-9dcdb1c44aa9.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--96e7b86f-b960-489c-882b-9dcdb1c44aa9.json index e7bf92d890..beda9e5b76 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--96e7b86f-b960-489c-882b-9dcdb1c44aa9.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--96e7b86f-b960-489c-882b-9dcdb1c44aa9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bc8e369b-6090-4f86-adc1-a703a144baf4", + "id": "bundle--f90a9a89-46f0-4d9c-9df6-1700522b793a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--981b659b-992a-4d71-9404-0e1b2b598e50.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--981b659b-992a-4d71-9404-0e1b2b598e50.json index 3c0db54706..586c3cb83a 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--981b659b-992a-4d71-9404-0e1b2b598e50.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--981b659b-992a-4d71-9404-0e1b2b598e50.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2747a1d7-7b8f-4c75-b570-83c6498912b8", + "id": "bundle--85360b24-7076-49b5-80fc-a3f4a3bc6e9f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--9ad83be0-5c88-4fb6-b59d-19db21176923.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--9ad83be0-5c88-4fb6-b59d-19db21176923.json index 80542f376c..e7236fd174 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--9ad83be0-5c88-4fb6-b59d-19db21176923.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--9ad83be0-5c88-4fb6-b59d-19db21176923.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7aa8da1d-cc8b-42b3-8312-d5b9c1651ad2", + "id": "bundle--9996633e-ccb3-4985-b63e-9a162b685558", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--aebd2848-98db-46f1-8e22-627e2ec3c280.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--aebd2848-98db-46f1-8e22-627e2ec3c280.json index b8e4db86c6..b472f406b2 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--aebd2848-98db-46f1-8e22-627e2ec3c280.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--aebd2848-98db-46f1-8e22-627e2ec3c280.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--98241caa-f890-48ca-b0b2-6c40729055d2", + "id": "bundle--adc45c23-78b9-430d-8b80-86cab20c42eb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--afc9e394-147e-49db-81df-953d2d3ea93e.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--afc9e394-147e-49db-81df-953d2d3ea93e.json index 84b1ed4ea6..2a4010ee6f 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--afc9e394-147e-49db-81df-953d2d3ea93e.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--afc9e394-147e-49db-81df-953d2d3ea93e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1de03017-ed80-49c3-95b6-a2a0789bd4e7", + "id": "bundle--7c642a31-7f3a-42e1-bb27-181094c21a19", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--b337bf06-d69b-41e0-8e60-8f24cb718998.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--b337bf06-d69b-41e0-8e60-8f24cb718998.json index 672ebc1d75..d36e996b06 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--b337bf06-d69b-41e0-8e60-8f24cb718998.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--b337bf06-d69b-41e0-8e60-8f24cb718998.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bc45b8cd-6e2f-4c75-a4dc-ba469988ec00", + "id": "bundle--e9c3245d-cb03-4dc9-807f-242f1338c632", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--b6fb91d0-28f6-447d-ba25-e7b26116ebfe.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--b6fb91d0-28f6-447d-ba25-e7b26116ebfe.json index 95268219fb..3142147f4c 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--b6fb91d0-28f6-447d-ba25-e7b26116ebfe.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--b6fb91d0-28f6-447d-ba25-e7b26116ebfe.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a053220d-8791-4c34-bbbf-68add916aeed", + "id": "bundle--739049d1-78bd-4346-918e-33c096992cd4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--b74100d1-0085-468a-834a-2bf10924a3b7.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--b74100d1-0085-468a-834a-2bf10924a3b7.json index 5e6ea948da..35a77d9288 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--b74100d1-0085-468a-834a-2bf10924a3b7.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--b74100d1-0085-468a-834a-2bf10924a3b7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--98ed7865-85a4-480c-a407-bb781248e4ed", + "id": "bundle--11924908-95c5-45a4-96a9-4a9f1bdf8f07", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--c14544a4-5ca1-4523-97eb-4a9840d74c6d.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--c14544a4-5ca1-4523-97eb-4a9840d74c6d.json index 7ceb31b9d2..e22161253b 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--c14544a4-5ca1-4523-97eb-4a9840d74c6d.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--c14544a4-5ca1-4523-97eb-4a9840d74c6d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2686e354-1447-4186-ac52-2cc3f59f5dac", + "id": "bundle--21d6219e-46f5-4ee4-900d-e65a38f286eb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--c40ddd75-f2fc-4899-bda1-bff164c96622.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--c40ddd75-f2fc-4899-bda1-bff164c96622.json index 94671928fb..a91cfe6713 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--c40ddd75-f2fc-4899-bda1-bff164c96622.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--c40ddd75-f2fc-4899-bda1-bff164c96622.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--51122f58-a1f7-4a48-9127-33eb81293c92", + "id": "bundle--8d0c3736-c4f1-4bab-8184-6a036a748096", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--c556c91d-64a0-401c-9c41-18971eeca0f2.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--c556c91d-64a0-401c-9c41-18971eeca0f2.json new file mode 100644 index 0000000000..95f3d4b610 --- /dev/null +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--c556c91d-64a0-401c-9c41-18971eeca0f2.json @@ -0,0 +1,64 @@ +{ + "type": "bundle", + "id": "bundle--8481776b-3520-4792-807f-ab511628e257", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--c556c91d-64a0-401c-9c41-18971eeca0f2", + "created": "2026-04-22T15:07:57.495Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0903#AN2046", + "external_id": "AN2046" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:34:00.942Z", + "name": "Analytic 2046", + "description": "Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.\n\nMonitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.\n\nMonitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.\n\nMonitor for a loss of network communications, which may indicate this technique is being used.\n\nMonitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if messages are blocked.\n\n", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "name": "Process", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "name": "Operational Databases", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "name": "Application Log", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "name": "Network Traffic", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "name": "Databases", + "channel": "None" + } + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--cbf791b4-5186-4205-ac5a-a56042aaebec.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--cbf791b4-5186-4205-ac5a-a56042aaebec.json index 530dde5a03..006cfa8ed2 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--cbf791b4-5186-4205-ac5a-a56042aaebec.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--cbf791b4-5186-4205-ac5a-a56042aaebec.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7ad2c7e3-e619-4e01-84d9-326445307c72", + "id": "bundle--213d0875-958d-4fe3-b56b-46302df7b329", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--cd4c92f9-3107-45c7-9d95-19a44d7dc92c.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--cd4c92f9-3107-45c7-9d95-19a44d7dc92c.json index a63f4cf9e1..9edbea83b7 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--cd4c92f9-3107-45c7-9d95-19a44d7dc92c.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--cd4c92f9-3107-45c7-9d95-19a44d7dc92c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--23bdd01b-4db2-4f86-9cc1-e1502c4f1eea", + "id": "bundle--41ba408f-5050-46db-b7d0-8aac3ac8920d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--cff25f71-859e-48bf-88d6-852d05e22b33.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--cff25f71-859e-48bf-88d6-852d05e22b33.json index b91a496a20..b6d9d18547 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--cff25f71-859e-48bf-88d6-852d05e22b33.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--cff25f71-859e-48bf-88d6-852d05e22b33.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--408f6ac1-4554-4ea5-876c-0c833e59c338", + "id": "bundle--bba9585e-c3ad-4e76-85bf-b1688f368ffb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--d271c7fc-d76a-4fb0-a645-5db2c1223a32.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--d271c7fc-d76a-4fb0-a645-5db2c1223a32.json index 918004c610..1e28c04acb 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--d271c7fc-d76a-4fb0-a645-5db2c1223a32.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--d271c7fc-d76a-4fb0-a645-5db2c1223a32.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8a3d01cd-8171-4a02-8ebd-028b0d172895", + "id": "bundle--7480b0a8-cea8-4839-bcff-5513c6373527", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--d3023733-5874-4746-a947-65925514e382.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--d3023733-5874-4746-a947-65925514e382.json index 6b8ff4c77b..36a25fb772 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--d3023733-5874-4746-a947-65925514e382.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--d3023733-5874-4746-a947-65925514e382.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b254e128-840e-455a-872d-e7762ca548c0", + "id": "bundle--65fd5b44-0b53-420b-91e5-a6c04f640372", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--d71e98fa-64d1-4ddb-acb1-bba1e4af6a73.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--d71e98fa-64d1-4ddb-acb1-bba1e4af6a73.json index 0259fe1cc4..fb017a2cce 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--d71e98fa-64d1-4ddb-acb1-bba1e4af6a73.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--d71e98fa-64d1-4ddb-acb1-bba1e4af6a73.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d3285b79-c037-4d74-a972-b5de4b02b368", + "id": "bundle--93dc1143-e218-4363-a71f-7e52553caf7a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--d937e4b8-20f2-44c1-9940-48c74318c715.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--d937e4b8-20f2-44c1-9940-48c74318c715.json index d893460346..c6c0d0fc92 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--d937e4b8-20f2-44c1-9940-48c74318c715.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--d937e4b8-20f2-44c1-9940-48c74318c715.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4987cb65-f4f0-48e8-8461-280814694e9f", + "id": "bundle--62705ef8-8a48-40db-8960-57672f70e70e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--dc014060-5116-4a2f-bac5-35ac1db8fabb.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--dc014060-5116-4a2f-bac5-35ac1db8fabb.json index a08bbb3315..33befd8a69 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--dc014060-5116-4a2f-bac5-35ac1db8fabb.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--dc014060-5116-4a2f-bac5-35ac1db8fabb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--35affb2a-73b9-43c4-a8e4-0938208407f8", + "id": "bundle--8f9459a2-e2a3-4a80-9945-3413d6d7ff65", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--dd25b818-ceb0-4518-9384-dcf895d4956b.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--dd25b818-ceb0-4518-9384-dcf895d4956b.json index e8037f3126..e33a97409f 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--dd25b818-ceb0-4518-9384-dcf895d4956b.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--dd25b818-ceb0-4518-9384-dcf895d4956b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4c6702d8-37f7-45d2-9f3f-d444d58214ee", + "id": "bundle--69bcd582-9d14-4907-b236-526ab3050a27", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--ddfcd948-3526-4241-a12f-d7bf63468e40.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--ddfcd948-3526-4241-a12f-d7bf63468e40.json index f2dc6e89c7..036a5b0b26 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--ddfcd948-3526-4241-a12f-d7bf63468e40.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--ddfcd948-3526-4241-a12f-d7bf63468e40.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d17c4a34-d1e0-4a51-90eb-3b7eb01735bd", + "id": "bundle--1718e910-f074-4bbb-baa9-ce031ada0f15", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--df7f8849-56a7-4e83-9fd7-a4f25227d960.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--df7f8849-56a7-4e83-9fd7-a4f25227d960.json new file mode 100644 index 0000000000..7beb2b5685 --- /dev/null +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--df7f8849-56a7-4e83-9fd7-a4f25227d960.json @@ -0,0 +1,64 @@ +{ + "type": "bundle", + "id": "bundle--41a560be-ee17-4821-b53e-dfbcd029e62e", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--df7f8849-56a7-4e83-9fd7-a4f25227d960", + "created": "2026-04-22T22:41:28.415Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0911#AN2054", + "external_id": "AN2054" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:34:02.593Z", + "name": "Analytic 2054", + "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist, alarms may still be visible even if Ethernet messages are blocked.\n\nMonitor for a loss of network communications, which may indicate this technique is being used.\n\nMonitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique\u2019s execution but instead may provide additional evidence that the technique has been used and may complement other detections.\n\nMonitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.\n\nMonitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.\n", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "name": "Operational Databases", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "name": "Network Traffic", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "name": "Databases", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "name": "Application Log", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "name": "Process", + "channel": "None" + } + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--e25ef816-bbfd-4656-8ecb-c7eebcba31d4.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--e25ef816-bbfd-4656-8ecb-c7eebcba31d4.json index 587ef2939e..82c7b0fbf0 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--e25ef816-bbfd-4656-8ecb-c7eebcba31d4.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--e25ef816-bbfd-4656-8ecb-c7eebcba31d4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6ea5a23e-226f-44c2-8203-f81a9adff34a", + "id": "bundle--138cf27a-3335-4811-81a7-efa9dc9d8f4f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--e379be82-39d7-4ae4-8557-f846ba19cd4b.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--e379be82-39d7-4ae4-8557-f846ba19cd4b.json new file mode 100644 index 0000000000..dbb984ef7b --- /dev/null +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--e379be82-39d7-4ae4-8557-f846ba19cd4b.json @@ -0,0 +1,59 @@ +{ + "type": "bundle", + "id": "bundle--0f9f67b9-f67b-433e-a7a6-9cd00de4abb8", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--e379be82-39d7-4ae4-8557-f846ba19cd4b", + "created": "2026-04-23T00:08:52.524Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0913#AN2056", + "external_id": "AN2056" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:34:02.964Z", + "name": "Analytic 2056", + "description": "Monitor device alarms for program downloads, although not all devices produce such alarms.\n\nMonitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols.\n\nConsult asset management systems to understand expected program versions.\n\nMonitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.\n", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "name": "Operational Databases", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "name": "Traffic", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", + "name": "Asset", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "name": "Application Log", + "channel": "None" + } + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--e8f51c53-fc55-441b-a45f-ba7709ccbce2.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--e8f51c53-fc55-441b-a45f-ba7709ccbce2.json index 269f95d4f6..6fcfbee957 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--e8f51c53-fc55-441b-a45f-ba7709ccbce2.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--e8f51c53-fc55-441b-a45f-ba7709ccbce2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4100c290-2fed-4458-9e23-fb07b23454a3", + "id": "bundle--f2ffd6cc-44aa-47f9-b91a-860246bae78f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--ec695157-8c3c-439b-9925-459c9d4172f0.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--ec695157-8c3c-439b-9925-459c9d4172f0.json index 6f0ec0e246..ebeec32bfb 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--ec695157-8c3c-439b-9925-459c9d4172f0.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--ec695157-8c3c-439b-9925-459c9d4172f0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0b7ab6c3-7e3c-466c-8a3a-65b5976d78bb", + "id": "bundle--6869ef36-972f-48e8-b214-9e7cba85b8ef", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--ece52da2-ac60-4b0e-863f-ebbc95118a8c.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--ece52da2-ac60-4b0e-863f-ebbc95118a8c.json index 4c1e7beaa0..47945a744d 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--ece52da2-ac60-4b0e-863f-ebbc95118a8c.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--ece52da2-ac60-4b0e-863f-ebbc95118a8c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b79dbedd-2b9d-4501-8dd7-db72c9bc2f6b", + "id": "bundle--1c90f1cb-a89c-41f2-8e97-c32bb05f7fbf", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--edd8297d-ec63-4b54-8d28-106f228dd535.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--edd8297d-ec63-4b54-8d28-106f228dd535.json index b07e475c80..4903bdd4e7 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--edd8297d-ec63-4b54-8d28-106f228dd535.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--edd8297d-ec63-4b54-8d28-106f228dd535.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ab5c3dc7-f53a-47a8-9e38-9dbb99c624c8", + "id": "bundle--30bd6214-1b8b-4d49-894a-9e996c8e5a75", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--f123f13f-b6f4-4e86-96cd-14df0e855e0f.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--f123f13f-b6f4-4e86-96cd-14df0e855e0f.json index 3be3276921..847bf2e23d 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--f123f13f-b6f4-4e86-96cd-14df0e855e0f.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--f123f13f-b6f4-4e86-96cd-14df0e855e0f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f0e56c16-84db-4f67-8246-f139f391f35f", + "id": "bundle--91312502-9c7e-45e2-a0ef-b9aaed11b7ed", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--f12aa823-91cc-40e1-93b7-eaa5f5fa9c4d.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--f12aa823-91cc-40e1-93b7-eaa5f5fa9c4d.json index 749c0a0a96..034faddc09 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--f12aa823-91cc-40e1-93b7-eaa5f5fa9c4d.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--f12aa823-91cc-40e1-93b7-eaa5f5fa9c4d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f4e72fed-9611-4eec-b813-c136b13083aa", + "id": "bundle--67141681-21ac-4bae-8719-b2ef3a588175", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--f6324642-d17d-49d4-90b2-bab9d229d6fa.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--f6324642-d17d-49d4-90b2-bab9d229d6fa.json new file mode 100644 index 0000000000..f70bb346dc --- /dev/null +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--f6324642-d17d-49d4-90b2-bab9d229d6fa.json @@ -0,0 +1,49 @@ +{ + "type": "bundle", + "id": "bundle--2b88b38a-7222-4864-b55e-512c952aab0f", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--f6324642-d17d-49d4-90b2-bab9d229d6fa", + "created": "2026-04-22T20:31:39.088Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0908#AN2051", + "external_id": "AN2051" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:34:03.863Z", + "name": "Analytic 2051", + "description": "Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations.\nMonitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM). For added context on adversary enterprise procedures and background see [Remote System Discovery](https://attack.mitre.org/techniques/T1018).\n", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "name": "Traffic", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "name": "Network Traffic", + "channel": "None" + } + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--f666f516-f8d0-41f6-9a4c-0ac6c1f6086b.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--f666f516-f8d0-41f6-9a4c-0ac6c1f6086b.json index b57d1937e9..972c8835ff 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--f666f516-f8d0-41f6-9a4c-0ac6c1f6086b.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--f666f516-f8d0-41f6-9a4c-0ac6c1f6086b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--838badc1-a27e-46d5-bc23-8f3adeded650", + "id": "bundle--0b255efc-c1e6-45d9-9a21-13c27a7af783", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--fbd4686e-f637-459b-ad48-c6fd7840acfa.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--fbd4686e-f637-459b-ad48-c6fd7840acfa.json index 24a5bb9944..9448ff48ec 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--fbd4686e-f637-459b-ad48-c6fd7840acfa.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--fbd4686e-f637-459b-ad48-c6fd7840acfa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e950234a-12b1-47ee-b086-6334e779c1ee", + "id": "bundle--c1029c5b-a1a6-4a4f-8b6f-1fa23f95ecce", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--fc6641ac-5748-4498-89e9-d4ada2b6f88a.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--fc6641ac-5748-4498-89e9-d4ada2b6f88a.json new file mode 100644 index 0000000000..39227dd2be --- /dev/null +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--fc6641ac-5748-4498-89e9-d4ada2b6f88a.json @@ -0,0 +1,79 @@ +{ + "type": "bundle", + "id": "bundle--6ac13b2e-08af-442c-b06e-61175e034f94", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-analytic", + "id": "x-mitre-analytic--fc6641ac-5748-4498-89e9-d4ada2b6f88a", + "created": "2026-04-22T15:53:18.404Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0904#AN2047", + "external_id": "AN2047" + }, + { + "source_name": "McAfee CHIPSEC Blog", + "description": "Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017.", + "url": "https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/" + }, + { + "source_name": "MITRE Copernicus", + "description": "Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015.", + "url": "http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about" + }, + { + "source_name": "Intel HackingTeam UEFI Rootkit", + "description": "Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved November 17, 2024.", + "url": "https://web.archive.org/web/20170313124421/http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html" + }, + { + "source_name": "Github CHIPSEC", + "description": "Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017.", + "url": "https://github.com/chipsec/chipsec" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:34:04.333Z", + "name": "Analytic 2047", + "description": "Monitor for firmware changes which may be observable via operational alarms from devices.\n\nMonitor device application logs for firmware changes, although not all devices will produce such logs.\n\nMonitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.\n\nMonitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog)(Citation: Github CHIPSEC)(Citation: Intel HackingTeam UEFI Rootkit)\n", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_platforms": [ + "None" + ], + "x_mitre_log_source_references": [ + { + "x_mitre_data_component_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "name": "Operational Databases", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "name": "Application Log", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", + "name": "Firmware", + "channel": "None" + }, + { + "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "name": "Network Traffic", + "channel": "None" + } + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-analytic/x-mitre-analytic--fcfe9c48-3a5a-49c8-96c3-be79414a8419.json b/ics-attack/x-mitre-analytic/x-mitre-analytic--fcfe9c48-3a5a-49c8-96c3-be79414a8419.json index a0a83441a1..24bb58eed3 100644 --- a/ics-attack/x-mitre-analytic/x-mitre-analytic--fcfe9c48-3a5a-49c8-96c3-be79414a8419.json +++ b/ics-attack/x-mitre-analytic/x-mitre-analytic--fcfe9c48-3a5a-49c8-96c3-be79414a8419.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dc1b3ea6-af1e-40fd-b4d8-2ad8e5a821a2", + "id": "bundle--c537a715-5748-406a-9b2a-017c2d51d2bf", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945.json b/ics-attack/x-mitre-asset/x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945.json index 36daa18e03..40bc566f98 100644 --- a/ics-attack/x-mitre-asset/x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945.json +++ b/ics-attack/x-mitre-asset/x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945.json @@ -1,10 +1,31 @@ { "type": "bundle", - "id": "bundle--e17f98f0-60da-4b18-b28f-8d0e8320cb3e", + "id": "bundle--36e811c4-49a7-4c59-a770-08ef9168eaba", "spec_version": "2.0", "objects": [ { - "modified": "2023-10-04T18:07:59.333Z", + "type": "x-mitre-asset", + "spec_version": "2.1", + "id": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "created": "2023-09-28T15:13:07.950Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0011", + "external_id": "A0011" + }, + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-23T00:57:53.372Z", "name": "Virtual Private Network (VPN) Server", "description": "A VPN server is a device that is used to establish a secure network tunnel between itself and other remote VPN devices, including field VPNs. VPN servers can be used to establish a secure connection with a single remote device, or to securely bridge all traffic between two separate networks together by encapsulating all data between those networks. VPN servers typically support remote network services that are used by field VPNs to initiate the establishment of the secure VPN tunnel between the field device and server.", "x_mitre_sectors": [ @@ -26,38 +47,18 @@ "description": "Field VPN are typically deployed at remote outstations and are used to create secure connections to VPN servers within data/control center environments. " } ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Windows", + "Embedded", "Linux", - "Embedded" + "Windows" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "type": "x-mitre-asset", - "id": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", - "created": "2023-09-28T15:13:07.950Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/assets/A0011", - "external_id": "A0011" - }, - { - "source_name": "IEC February 2019", - "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", - "url": "https://webstore.iec.ch/publication/34421" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787.json b/ics-attack/x-mitre-asset/x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787.json index 4f155192ae..f8d35f92f3 100644 --- a/ics-attack/x-mitre-asset/x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787.json +++ b/ics-attack/x-mitre-asset/x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787.json @@ -1,35 +1,11 @@ { "type": "bundle", - "id": "bundle--b5eb3b61-0e92-4e5d-a7e8-34786d6194bb", + "id": "bundle--de37de0d-a074-4e14-9615-164dec7f762a", "spec_version": "2.0", "objects": [ { - "modified": "2023-10-04T18:03:06.811Z", - "name": "Jump Host", - "description": "Jump hosts are devices used to support remote management sessions into ICS networks or devices. The system is used to access the ICS environment securely from external networks, such as the corporate network. The user must first remote into the jump host before they can access ICS devices. The jump host may be a customized Windows server using common remote access protocols (e.g., RDP) or a dedicated access management device. The jump host typically performs various security functions to ensure the authenticity of remote sessions, including authentication, enforcing access controls/permissions, and auditing all access attempts. ", - "x_mitre_sectors": [ - "General" - ], - "x_mitre_related_assets": [ - { - "name": "Intermediate System", - "related_asset_sectors": [ - "Electric" - ], - "description": "A Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users.(Citation: North American Electric Reliability Corporation June 2021)" - } - ], - "x_mitre_platforms": [ - "Windows", - "Linux", - "Embedded" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "1.0", "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "created": "2023-09-28T17:52:53.206Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -49,8 +25,33 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "modified": "2026-04-23T00:58:05.830Z", + "name": "Jump Host", + "description": "Jump hosts are devices used to support remote management sessions into ICS networks or devices. The system is used to access the ICS environment securely from external networks, such as the corporate network. The user must first remote into the jump host before they can access ICS devices. The jump host may be a customized Windows server using common remote access protocols (e.g., RDP) or a dedicated access management device. The jump host typically performs various security functions to ensure the authenticity of remote sessions, including authentication, enforcing access controls/permissions, and auditing all access attempts. ", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Intermediate System", + "related_asset_sectors": [ + "Electric" + ], + "description": "A Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users.(Citation: North American Electric Reliability Corporation June 2021)" + } + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Embedded", + "Linux", + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32.json b/ics-attack/x-mitre-asset/x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32.json index 27950057ff..9d338fca87 100644 --- a/ics-attack/x-mitre-asset/x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32.json +++ b/ics-attack/x-mitre-asset/x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32.json @@ -1,28 +1,11 @@ { "type": "bundle", - "id": "bundle--ee206beb-ef65-465b-9dda-2126094f2bea", + "id": "bundle--7f6f79a8-94d8-4c35-b56a-8fe0c4b21107", "spec_version": "2.0", "objects": [ { - "modified": "2023-10-04T18:05:43.237Z", - "name": "Remote Terminal Unit (RTU)", - "description": "A Remote Terminal Unit (RTU) is a device that typically resides between field devices (e.g., PLCs, IEDs) and control/SCADA servers and supports various communication interfacing and data aggregation functions. RTUs are typically responsible for forwarding commands from the control server and the collection of telemetry, events, and alerts from the field devices. An RTU can be implemented as a dedicated embedded device, as software platform that runs on a hardened/ruggedized computer, or using a custom application program on a PLC.", - "x_mitre_sectors": [ - "Electric", - "Water and Wastewater", - "General" - ], - "x_mitre_platforms": [ - "Embedded", - "Windows", - "Linux" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "1.0", "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", "created": "2023-09-28T14:44:54.756Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -37,8 +20,26 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "modified": "2026-04-23T00:58:18.239Z", + "name": "Remote Terminal Unit (RTU)", + "description": "A Remote Terminal Unit (RTU) is a device that typically resides between field devices (e.g., PLCs, IEDs) and control/SCADA servers and supports various communication interfacing and data aggregation functions. RTUs are typically responsible for forwarding commands from the control server and the collection of telemetry, events, and alerts from the field devices. An RTU can be implemented as a dedicated embedded device, as software platform that runs on a hardened/ruggedized computer, or using a custom application program on a PLC.", + "x_mitre_sectors": [ + "Electric", + "General", + "Water and Wastewater" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Embedded", + "Linux", + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe.json b/ics-attack/x-mitre-asset/x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe.json index 1d26aeb371..d4cb51be69 100644 --- a/ics-attack/x-mitre-asset/x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe.json +++ b/ics-attack/x-mitre-asset/x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe.json @@ -1,37 +1,11 @@ { "type": "bundle", - "id": "bundle--bbcebb5c-d8b2-443f-8f83-17abe3136da9", + "id": "bundle--674536d3-38e2-42ec-8beb-4aa351bde5c7", "spec_version": "2.0", "objects": [ { - "modified": "2023-10-04T19:26:49.788Z", - "name": "Field I/O", - "description": "Field I/O are devices that communicate with a controller or data aggregator to either send input data or receive output data. Input data may include readings about a given environment/device state from sensors, while output data may include data sent back to actuators for them to either undertake actions or change parameter values.(Citation: Guidance - NIST SP800-82) These devices are frequently embedded devices running on lightweight embedded operating systems or RTOSes. ", - "x_mitre_related_assets": [ - { - "name": "Smart Sensors", - "related_asset_sectors": [ - "General" - ], - "description": "*A device that procures a voltage or current output that is representative of some physical property being measured (e.g., speed, temperature, flow).* (Citation: Guidance - NIST SP800-82) Smart sensors take this functionality and add on on-device processing and network communication." - }, - { - "name": "Variable Frequency Drive (VFD)", - "related_asset_sectors": [ - "General" - ], - "description": "*A type of drive that controls the speed, but not the precise position, of a non-servo, AC motor by varying the frequency of the electricity going to that motor. VFDs are typically used for applications where speed and power are important, but precise positioning is not.* (Citation: Guidance - NIST SP800-82) VFDs can be network connected." - } - ], - "x_mitre_platforms": [ - "Embedded" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "1.0", "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "created": "2023-09-28T17:57:22.946Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -51,8 +25,38 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "modified": "2026-04-27T16:50:21.228Z", + "name": "Field I/O", + "description": "Field I/O are devices that communicate with a controller or data aggregator to either send input data or receive output data. Input data may include readings about a given environment/device state from sensors, while output data may include data sent back to actuators for them to either undertake actions or change parameter values.(Citation: Guidance - NIST SP800-82) These devices are frequently embedded devices running on lightweight embedded operating systems or RTOSes. ", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Smart Sensors", + "related_asset_sectors": [ + "General" + ], + "description": "*A device that procures a voltage or current output that is representative of some physical property being measured (e.g., speed, temperature, flow).* (Citation: Guidance - NIST SP800-82) Smart sensors take this functionality and add on on-device processing and network communication." + }, + { + "name": "Variable Frequency Drive (VFD)", + "related_asset_sectors": [ + "General" + ], + "description": "*A type of drive that controls the speed, but not the precise position, of a non-servo, AC motor by varying the frequency of the electricity going to that motor. VFDs are typically used for applications where speed and power are important, but precise positioning is not.* (Citation: Guidance - NIST SP800-82) VFDs can be network connected." + } + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64.json b/ics-attack/x-mitre-asset/x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64.json index 74af4974a7..9eb8a988bd 100644 --- a/ics-attack/x-mitre-asset/x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64.json +++ b/ics-attack/x-mitre-asset/x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64.json @@ -1,34 +1,11 @@ { "type": "bundle", - "id": "bundle--ee6a506c-d237-4db9-ba1c-7eddfc166d6e", + "id": "bundle--9a78b62c-c049-4fe3-b096-0e05754aad04", "spec_version": "2.0", "objects": [ { - "modified": "2023-10-04T17:59:11.489Z", - "name": "Human-Machine Interface (HMI)", - "description": "Human-Machine Interfaces (HMIs) are systems used by an operator to monitor the real-time status of an operational process and to perform necessary control functions, including the adjustment of device parameters. An HMI can take various forms, including a dedicated screen or control panel integrated with a specific device/controller, or a customizable software GUI application running on a standard operating system (e.g., MS Windows) that interfaces with a control/SCADA server. The HMI is critical to ensuring operators have sufficient visibility and control over the operational process.", - "x_mitre_sectors": [ - "General" - ], - "x_mitre_related_assets": [ - { - "name": "Operator Workstation (OWS)", - "related_asset_sectors": [ - "General" - ], - "description": "An Operator Workstation (OWS) or Console is a system or device used by an operator to interface with a control system, including to access/visualizes key information or parameters about the operational process and initiate control actions. This typically consists of specialized OWS software installed on a Workstation platform. (Citation: IEC February 2019)" - } - ], - "x_mitre_platforms": [ - "Windows", - "Linux" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "1.0", "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "created": "2023-09-28T14:38:54.407Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -48,8 +25,32 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "modified": "2026-04-23T00:58:37.171Z", + "name": "Human-Machine Interface (HMI)", + "description": "Human-Machine Interfaces (HMIs) are systems used by an operator to monitor the real-time status of an operational process and to perform necessary control functions, including the adjustment of device parameters. An HMI can take various forms, including a dedicated screen or control panel integrated with a specific device/controller, or a customizable software GUI application running on a standard operating system (e.g., MS Windows) that interfaces with a control/SCADA server. The HMI is critical to ensuring operators have sufficient visibility and control over the operational process.", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Operator Workstation (OWS)", + "related_asset_sectors": [ + "General" + ], + "description": "An Operator Workstation (OWS) or Console is a system or device used by an operator to interface with a control system, including to access/visualizes key information or parameters about the operational process and initiate control actions. This typically consists of specialized OWS software installed on a Workstation platform. (Citation: IEC February 2019)" + } + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Linux", + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d.json b/ics-attack/x-mitre-asset/x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d.json index d7cb1d19c4..bc1aad30c5 100644 --- a/ics-attack/x-mitre-asset/x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d.json +++ b/ics-attack/x-mitre-asset/x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--f09926a2-32de-4acc-a1c4-a7c80de23054", + "id": "bundle--18ef7f0f-5cdc-4a43-9e07-a1061128c377", "spec_version": "2.0", "objects": [ { "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d", "created": "2025-09-29T18:56:19.712Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -19,9 +20,12 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-03T17:46:10.281Z", + "modified": "2026-04-27T16:50:01.628Z", "name": "Programmable Automation Controller (PAC)", "description": "A Programmable Automation Controller (PAC) is an embedded programmable control device. PACs are designed to enable automation applications across integrated software applications, peer controllers (e.g., PLC), Human Machine Interfaces, and other systems. PACs often include advanced features for process control, motion control, drive control, and vision applications. PACs are programmed using traditional process automation programming languages (IEC-61131) and sometimes languages such as C and C++ to support more advanced controls.", + "x_mitre_sectors": [ + "General" + ], "x_mitre_related_assets": [ { "name": "Field Device / Controller", @@ -46,7 +50,7 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0" } ] diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4.json b/ics-attack/x-mitre-asset/x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4.json index 5c22911e3b..37917b4b77 100644 --- a/ics-attack/x-mitre-asset/x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4.json +++ b/ics-attack/x-mitre-asset/x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--744b6c0c-a2dc-442b-b380-48cc3f88fe0f", + "id": "bundle--02b2228f-17e7-4123-a2d6-059f234781d2", "spec_version": "2.0", "objects": [ { "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "created": "2023-09-28T15:01:48.509Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -19,7 +20,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T19:43:43.474Z", + "modified": "2026-04-27T17:47:40.077Z", "name": "Data Gateway", "description": "Data Gateway is a device that supports the communication and exchange of data between different systems, networks, or protocols within the ICS. Different types of data gateways are used to perform various functions, including:\n\n * Protocol Translation: Enable communication to devices that support different or incompatible protocols by translating information from one protocol to another. \n * Media Converter: Convert data across different Layer 1 and 2 network protocols / mediums, for example, converting from Serial to Ethernet. \n * Data Aggregation: Collect and combine data from different devices into one consistent format and protocol interface. \n* Data Mirroring: Create a real-time, exact copy of data streams from devices to a separate destination for redundancy, monitoring, or backup purposes.\n\nData gateways are often critical to the forwarding/transmission of critical control or monitoring data within the ICS. Further, these devices often have remote various network services that are used to communicate across different zones or networks. \n\nThese assets may focus on a single function listed below or combinations of these functions to best fit the industry use-case. \n", "x_mitre_sectors": [ @@ -60,7 +61,7 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0" } ] diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32.json b/ics-attack/x-mitre-asset/x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32.json index d01522dadc..8a5c4e7ca4 100644 --- a/ics-attack/x-mitre-asset/x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32.json +++ b/ics-attack/x-mitre-asset/x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32.json @@ -1,38 +1,11 @@ { "type": "bundle", - "id": "bundle--a8eaa565-c0b0-4c85-9ce9-111b041e1a75", + "id": "bundle--54fab86b-e7e7-471b-a242-d4ba80fb9bb5", "spec_version": "2.0", "objects": [ { - "modified": "2023-10-16T18:49:08.504Z", - "name": "Safety Controller", - "description": "Safety controllers are typically a type of field device used to perform the safety critical function. Safety controllers often support the deployment of custom programs/logic, similar to a PLC, but can also be tailored for sector specific functions/applications. The safety controllers typically utilize redundant hardware and processors to ensure they operate reliably if a component fails.", - "x_mitre_related_assets": [ - { - "name": "Safety Instrumented System (SIS) controller", - "related_asset_sectors": [], - "description": "SIS controllers are used to \u201ctake the process to a safe state when predetermined conditions are violated\u201d (Citation: Guidance - NIST SP800-82) through the reading of sensor data and interaction with digital/physical control surfaces. These devices are oftentimes located on programmable embedded devices running specialized RTOS or other embedded operating systems. " - }, - { - "name": "Emergency Shutdown Systems (ESD) controller", - "related_asset_sectors": [], - "description": "Emergency Shutdown System controllers are used to read sensor values and interact with control surfaces to return the system \u201cto a safe static condition so that any remedial action can be taken\u201d. (Citation: SIGTTO ESD 2021)" - }, - { - "name": "Burner Management Systems (BMS) controller", - "related_asset_sectors": [], - "description": "Burner Management System controllers are used to interact with sensors and control surfaces to maintain safe operating conditions for the burner. These can include safely starting-up and managing the main flame, controlling and monitoring the burning conditions, and safely initiating planned or unplanned shutdown sequences." - } - ], - "x_mitre_platforms": [ - "Embedded" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "1.0", "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "created": "2023-09-28T15:10:05.534Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -57,8 +30,45 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "modified": "2026-04-27T17:25:50.475Z", + "name": "Safety Controller", + "description": "Safety controllers are typically a type of field device used to perform the safety critical function. Safety controllers often support the deployment of custom programs/logic, similar to a PLC, but can also be tailored for sector specific functions/applications. The safety controllers typically utilize redundant hardware and processors to ensure they operate reliably if a component fails.", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Safety Instrumented System (SIS) controller", + "related_asset_sectors": [ + "General" + ], + "description": "SIS controllers are used to \u201ctake the process to a safe state when predetermined conditions are violated\u201d (Citation: Guidance - NIST SP800-82) through the reading of sensor data and interaction with digital/physical control surfaces. These devices are oftentimes located on programmable embedded devices running specialized RTOS or other embedded operating systems. " + }, + { + "name": "Emergency Shutdown Systems (ESD) controller", + "related_asset_sectors": [ + "General" + ], + "description": "Emergency Shutdown System controllers are used to read sensor values and interact with control surfaces to return the system \u201cto a safe static condition so that any remedial action can be taken\u201d. (Citation: SIGTTO ESD 2021)" + }, + { + "name": "Burner Management Systems (BMS) controller", + "related_asset_sectors": [ + "General" + ], + "description": "Burner Management System controllers are used to interact with sensors and control surfaces to maintain safe operating conditions for the burner. These can include safely starting-up and managing the main flame, controlling and monitoring the burning conditions, and safely initiating planned or unplanned shutdown sequences." + } + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04.json b/ics-attack/x-mitre-asset/x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04.json index a81e5b5843..a8fc9b5a6e 100644 --- a/ics-attack/x-mitre-asset/x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04.json +++ b/ics-attack/x-mitre-asset/x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04.json @@ -1,10 +1,26 @@ { "type": "bundle", - "id": "bundle--a34fb614-3871-4631-aa2b-2b4f93679068", + "id": "bundle--36b8328e-58f7-4590-89d8-4262dff5e595", "spec_version": "2.0", "objects": [ { - "modified": "2023-10-04T18:01:02.506Z", + "type": "x-mitre-asset", + "spec_version": "2.1", + "id": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "created": "2023-09-28T14:46:42.566Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0005", + "external_id": "A0005" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-27T16:47:33.077Z", "name": "Intelligent Electronic Device (IED)", "description": "An Intelligent Electronic Device (IED) is a type of specialized field device that is designed to perform specific operational functions, frequently for protection, monitoring, or control within the electric sector. IEDs are typically used to both acquire telemetry and execute tailored control algorithms/actions based on customizable parameters/settings. An IED is usually implemented as a dedicated embedded device and supports various network automation protocols to communicate with RTUs and Control Servers.", "x_mitre_sectors": [ @@ -20,10 +36,13 @@ }, { "name": "Field Device / Controller", - "related_asset_sectors": [], + "related_asset_sectors": [ + "General" + ], "description": "IEDs may be referred to as Field Controllers or Field Devices as a general function name. " } ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Embedded" ], @@ -31,24 +50,8 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "type": "x-mitre-asset", - "id": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", - "created": "2023-09-28T14:46:42.566Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/assets/A0005", - "external_id": "A0005" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d.json b/ics-attack/x-mitre-asset/x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d.json index d8c8e2e7d0..589e353af2 100644 --- a/ics-attack/x-mitre-asset/x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d.json +++ b/ics-attack/x-mitre-asset/x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--9a7dcbee-8e16-4434-ba24-8023fa6804e8", + "id": "bundle--3d93502e-9a1a-484b-b88c-9360fe121536", "spec_version": "2.0", "objects": [ { "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d", "created": "2025-09-24T22:53:09.627Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -19,7 +20,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T16:17:35.766Z", + "modified": "2026-04-23T01:01:01.668Z", "name": "Distributed Control System (DCS) Controller", "description": "A Distributed Control System (DCS) Controller is a microprocessor unit that is used to manage automation processes. DCS Controllers are often found in plants (chemical, manufacturing, oil and gas, etc.) where large scale continuous automation processes are required. A DCS Controller typically operates as part of a larger networked system with other DCS Controllers where each DCS Controller manages an individual part of a continuous process. In addition to these other controllers, DCS Controllers operate along side multiple other system components including system software, operator stations, and other embedded field controllers. The distributed nature of DCS Controllers provides scalability, redundancy, and improved process reliability. DCS Controllers are programmed using traditional process automation programming languages (IEC-61131). ", "x_mitre_sectors": [ @@ -49,7 +50,7 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0" } ] diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d.json b/ics-attack/x-mitre-asset/x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d.json index 95312cbb53..b78ee27cc1 100644 --- a/ics-attack/x-mitre-asset/x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d.json +++ b/ics-attack/x-mitre-asset/x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--8001d00b-92af-405a-889f-c296b877c95f", + "id": "bundle--8c02164e-2f82-4dfd-841e-8c7faa6a6ba7", "spec_version": "2.0", "objects": [ { "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "created": "2023-09-28T14:58:00.982Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -19,7 +20,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-22T15:13:16.424Z", + "modified": "2026-04-23T01:01:24.568Z", "name": "Application Server", "description": "Application servers are used across many different sectors to host various diverse software applications necessary to supporting the ICS. Example functions can include data analytics and reporting, alarm management, and the management/coordination of different control servers. The application server typically runs on a modern server operating system (e.g., MS Windows Server).", "x_mitre_sectors": [ @@ -85,14 +86,14 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Windows", - "Linux" + "Linux", + "Windows" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0" } ] diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990.json b/ics-attack/x-mitre-asset/x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990.json index cb8271c1d0..320eda36c3 100644 --- a/ics-attack/x-mitre-asset/x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990.json +++ b/ics-attack/x-mitre-asset/x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990.json @@ -1,38 +1,11 @@ { "type": "bundle", - "id": "bundle--e0625b78-27d2-4be3-bae6-a057ddefc1eb", + "id": "bundle--e27629db-4758-4658-93c7-4c040639972f", "spec_version": "2.0", "objects": [ { - "modified": "2023-10-04T18:09:21.296Z", - "name": "Programmable Logic Controller (PLC)", - "description": "A Programmable Logic Controller (PLC) is an embedded programmable control device. PLCs typically utilize a modular architecture with separate modules used to support its processing capabilities, communication mediums, and I/O interfaces. PLCs allow for the deployment of customized programs/logic to control or monitor an operational process. This logic is defined using industry specific programming languages, such as IEC 61131 (Citation: IEC February 2013), which define the set of tasks and program organizational units (POUs) included in the device\u2019s programs. PLCs also typically have distinct operating modes (e.g., Remote, Run, Program, Stop) which are used to determine when the device can be programmed or whether it should execute the custom logic.", - "x_mitre_sectors": [ - "General" - ], - "x_mitre_related_assets": [ - { - "name": "Process Automation Controller (PAC)", - "related_asset_sectors": [ - "General" - ], - "description": "Process Automation Controllers (PAC) share much of the same functionality as a PLC. PACs may include advanced features for process control, motion control, drive control, and vision applications. PACs may include additional features such as options to program in traditional programming languages such as C and C++ in addition to 61131 programming languages in order to support these more advanced controls. " - }, - { - "name": "Field Device / Controller", - "related_asset_sectors": [], - "description": "Programmable Logic Controller (PLC) may be referred to as Field Controllers or Field Devices as a general function name. " - } - ], - "x_mitre_platforms": [ - "Embedded" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "1.0", "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "created": "2023-09-28T14:43:05.105Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -52,8 +25,38 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "modified": "2026-04-27T16:47:46.663Z", + "name": "Programmable Logic Controller (PLC)", + "description": "A Programmable Logic Controller (PLC) is an embedded programmable control device. PLCs typically utilize a modular architecture with separate modules used to support its processing capabilities, communication mediums, and I/O interfaces. PLCs allow for the deployment of customized programs/logic to control or monitor an operational process. This logic is defined using industry specific programming languages, such as IEC 61131 (Citation: IEC February 2013), which define the set of tasks and program organizational units (POUs) included in the device\u2019s programs. PLCs also typically have distinct operating modes (e.g., Remote, Run, Program, Stop) which are used to determine when the device can be programmed or whether it should execute the custom logic.", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Process Automation Controller (PAC)", + "related_asset_sectors": [ + "General" + ], + "description": "Process Automation Controllers (PAC) share much of the same functionality as a PLC. PACs may include advanced features for process control, motion control, drive control, and vision applications. PACs may include additional features such as options to program in traditional programming languages such as C and C++ in addition to 61131 programming languages in order to support these more advanced controls. " + }, + { + "name": "Field Device / Controller", + "related_asset_sectors": [ + "General" + ], + "description": "Programmable Logic Controller (PLC) may be referred to as Field Controllers or Field Devices as a general function name. " + } + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--bb141168-ae41-4974-8ece-dc9b63e59237.json b/ics-attack/x-mitre-asset/x-mitre-asset--bb141168-ae41-4974-8ece-dc9b63e59237.json index 6ce36dbdec..c983aa5b58 100644 --- a/ics-attack/x-mitre-asset/x-mitre-asset--bb141168-ae41-4974-8ece-dc9b63e59237.json +++ b/ics-attack/x-mitre-asset/x-mitre-asset--bb141168-ae41-4974-8ece-dc9b63e59237.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--96376143-eabd-4945-8f46-68be8d83dad5", + "id": "bundle--88404a72-0931-4e5c-8636-a977409d96ae", "spec_version": "2.0", "objects": [ { "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--bb141168-ae41-4974-8ece-dc9b63e59237", "created": "2025-09-24T18:17:26.575Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -19,7 +20,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T19:34:14.912Z", + "modified": "2026-04-27T18:02:22.344Z", "name": "Firewall", "description": "A gateway that limits access between networks in accordance with local security policy.\n\nIn ICS networks, firewalls can exist in multiple locations in the network architecture and serve a variety of purposes. The first, and often the most important, is the firewall segmenting the ICS network from the business network. This firewall acts as the primary network boundary point that controls the ingress/egress of network traffic between the ICS and business networks. This firewall may also be a single device connected to multiple network segments, where the firewall defines individual zones for the different network segments and can control access to the zones and between the zones. This can limit the ability of an adversary to traverse a network.\n", "x_mitre_sectors": [ @@ -35,22 +36,21 @@ }, { "name": "Device Firewall", - "related_asset_sectors": [], "description": "A device firewall is used to control the flow of traffic between a network and an individual device. It is used when additional protections are required beyond that of a boundary firewall. For example, a boundary firewall may limit traffic on the network to two protocols, but, a device firewall may further limit traffic to a particular device on that network to a single protocol." } ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Network", "Embedded", "Windows", - "Linux" + "Linux", + "Network" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0" } ] diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--bb553fda-8355-40bc-87c6-5ae25124fa95.json b/ics-attack/x-mitre-asset/x-mitre-asset--bb553fda-8355-40bc-87c6-5ae25124fa95.json index f0d597b304..8901fdeee1 100644 --- a/ics-attack/x-mitre-asset/x-mitre-asset--bb553fda-8355-40bc-87c6-5ae25124fa95.json +++ b/ics-attack/x-mitre-asset/x-mitre-asset--bb553fda-8355-40bc-87c6-5ae25124fa95.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--90dfec6a-3b68-4a2b-9097-204eef6ab955", + "id": "bundle--dd84693a-cbc0-43c7-ab1e-d13e0a6f0020", "spec_version": "2.0", "objects": [ { "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--bb553fda-8355-40bc-87c6-5ae25124fa95", "created": "2025-09-24T17:53:28.482Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -19,7 +20,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T19:34:42.547Z", + "modified": "2026-04-27T18:01:55.383Z", "name": "Switch", "description": "A switch is a network device that connects endpoints (e.g., workstations, servers, HMIs, PLCs, etc.) so that they can communicate and share data and resources. Switches may operate at either Layer 2 or Layer 3 of the OSI Model and intelligently forward packets across the network based on the specified address (Media Access Control (MAC) address for Layer 2 and Internet Protocol (IP) address for Layer 3). Switches are typically used to define network segments and connect the devices within a particular level of the Purdue Model. ", "x_mitre_sectors": [ @@ -64,14 +65,14 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Network", - "Embedded" + "Embedded", + "Network" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.3.0" } ] diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5.json b/ics-attack/x-mitre-asset/x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5.json index 78675ff84a..89a28759c7 100644 --- a/ics-attack/x-mitre-asset/x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5.json +++ b/ics-attack/x-mitre-asset/x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--1c1cb078-35cb-4998-ae33-9b293363cb4d", + "id": "bundle--6c0a911c-8eb6-423e-be98-732bc6d50c31", "spec_version": "2.0", "objects": [ { "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", "created": "2023-09-29T18:55:09.319Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -24,7 +25,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T19:56:56.316Z", + "modified": "2026-04-27T17:45:55.901Z", "name": "Routers", "description": "A computer that is a gateway between two networks at OSI layer 3 and that relays and directs data packets through that inter-network. The most common form of router operates on IP packets.(Citation: IETF RFC4949 2007)", "x_mitre_sectors": [ @@ -39,7 +40,7 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0" } ] diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499.json b/ics-attack/x-mitre-asset/x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499.json index 1c1f8940ea..73150b62a2 100644 --- a/ics-attack/x-mitre-asset/x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499.json +++ b/ics-attack/x-mitre-asset/x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--94d6eb0c-15c8-450a-94e2-cbffcfff8790", + "id": "bundle--671a545a-6a86-4887-b540-1861489ca39c", "spec_version": "2.0", "objects": [ { "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "created": "2023-09-28T14:48:36.305Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -19,7 +20,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T19:55:17.864Z", + "modified": "2026-04-23T01:03:57.506Z", "name": "Data Historian", "description": "Data historians, or historian, are systems used to collect and store data, including telemetry, events, alerts, and alarms about the operational process and supporting devices. The historian typically utilizes a database to store this data, and commonly provide tools and interfaces to support the analysis of the data. Data historians are often used to support various engineering or business analysis functions and therefore commonly needs access from the corporate network. Data historians often work in a hierarchical paradigm where lower/site level historians collect and store data which is then aggregated into a site/plant level historian. Therefore, data historians often have remote services that can be accessed externally from the ICS network. Many data historian vendors have designed their software to securely transfer data between the ICS and business networks instead of requiring business systems to access the data historian in the ICS network directly.", "x_mitre_sectors": [ @@ -27,15 +28,15 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Windows", + "Embedded", "Linux", - "Embedded" + "Windows" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0" } ] diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3.json b/ics-attack/x-mitre-asset/x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3.json index 66be90d4a2..a665aa21f5 100644 --- a/ics-attack/x-mitre-asset/x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3.json +++ b/ics-attack/x-mitre-asset/x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--bf5bc097-87a7-4e1c-a79e-b145921a53f0", + "id": "bundle--391086b4-5ca0-47d2-89b9-b5a5a7ece734", "spec_version": "2.0", "objects": [ { "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "created": "2023-09-28T14:55:39.339Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -24,7 +25,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T19:58:01.290Z", + "modified": "2026-04-23T01:04:14.767Z", "name": "Control Server", "description": "Control servers are typically a software platform that runs on a modern server operating system (e.g., MS Windows Server). The server typically uses one or more automation protocols (e.g., Modbus, DNP3) to communicate with the various low-level control devices such as Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs). The control server also usually provides an interface/network service to connect with an HMI.", "x_mitre_sectors": [ @@ -78,15 +79,15 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Windows", + "Embedded", "Linux", - "Embedded" + "Windows" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0" } ] diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41.json b/ics-attack/x-mitre-asset/x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41.json index d29240e645..76e9ced887 100644 --- a/ics-attack/x-mitre-asset/x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41.json +++ b/ics-attack/x-mitre-asset/x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--83e90f65-7e5c-48d1-82bb-76e89a5f0e81", + "id": "bundle--8401fbe6-fd07-4b66-961e-31701e6d023b", "spec_version": "2.0", "objects": [ { "type": "x-mitre-asset", + "spec_version": "2.1", "id": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "created": "2023-09-28T14:22:49.837Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -24,7 +25,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T19:58:23.607Z", + "modified": "2026-04-23T01:04:34.868Z", "name": "Workstation", "description": "Workstations are devices used by human operators or engineers to perform various configuration, programming, maintenance, diagnostic, or operational tasks. Workstations typically utilize standard desktop or laptop hardware and operating systems (e.g., MS Windows), but run dedicated control system applications or diagnostic/management software to support interfacing with the control servers or field devices. Some workstations have a fixed location within the network architecture, while others are transient devices that are directly connected to various field devices to support local management activities.", "x_mitre_sectors": [ @@ -48,14 +49,14 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Windows", - "Linux" + "Linux", + "Windows" ], "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0" } ] diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e.json index 10173c7787..6265b31fbe 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bc5e8fe8-cdef-4b9c-ac78-5ce2950845c9", + "id": "bundle--4514b714-0eb0-4272-886f-2c25d680793f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json index bb64de502c..68a056d54c 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5678492d-3088-4acf-8c81-bf6cd4862c87", + "id": "bundle--54b3e289-f2ec-4421-8e58-4910514e4e45", "spec_version": "2.0", "objects": [ { @@ -19,7 +19,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-23T18:37:33.992Z", "name": "Network Connection Creation", "description": "The initial establishment of a network session, where a system or process initiates a connection to a local or remote endpoint. This typically involves capturing socket information (source/destination IP, ports, protocol) and tracking session metadata. Monitoring these events helps detect lateral movement, exfiltration, and command-and-control (C2) activities.\n\n*Data Collection Measures:*\n\n- Windows:\n - Event ID 5156 \u2013 Filtering Platform Connection - Logs network connections permitted by Windows Filtering Platform (WFP).\n - Sysmon Event ID 3 \u2013 Network Connection Initiated - Captures process, source/destination IP, ports, and parent process.\n- Linux/macOS:\n - Netfilter (iptables), nftables logs - Tracks incoming and outgoing network connections.\n - AuditD (`connect` syscall) - Logs TCP, UDP, and ICMP connections.\n - Zeek (`conn.log`) - Captures protocol, duration, and bytes transferred.\n- Cloud & Network Infrastructure:\n - AWS VPC Flow Logs / Azure NSG Flow Logs - Logs IP traffic at the network level in cloud environments.\n - Zeek (conn.log) or Suricata (network events) - Captures packet metadata for detection and correlation.\n- Endpoint Detection & Response (EDR):\n - Detect anomalous network activity such as new C2 connections or data exfiltration attempts.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -29,88 +29,268 @@ "mobile-attack", "enterprise-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { - "name": "Network Traffic", - "channel": "None" - }, - { - "name": "AWS:VPCFlowLogs", - "channel": "Outbound connection to 169.254.169.254 from EC2 workload" - }, - { - "name": "macos:unifiedlog", - "channel": "connection attempts" - }, - { - "name": "esxi:hostd", - "channel": "System service interactions" - }, - { - "name": "WinEventLog:Sysmon", - "channel": "EventCode=3, 22" - }, - { - "name": "NSM:Connections", - "channel": "web domain alerts" + "name": "NSM:Flow", + "channel": "log entries indicating network connection initiation on macOS" }, { "name": "auditd:SYSCALL", "channel": "connect" }, - { - "name": "macos:osquery", - "channel": "process_events/socket_events" - }, - { - "name": "NSM:Firewall", - "channel": "Outbound Connections" - }, - { - "name": "macos:unifiedlog", - "channel": "connection open" - }, { "name": "auditd:SYSCALL", "channel": "execve: Execs of chromium, google-chrome, firefox, libreoffice with http(s) in cmdline" }, { - "name": "NSM:Flow", - "channel": "New TCP/443 or TCP/80 to domain not previously seen for the user/host" + "name": "auditd:SYSCALL", + "channel": "connect/sendto" }, { - "name": "NSM:Connections", - "channel": "New outbound connection from Safari/Chrome/Firefox/Word" + "name": "auditd:SYSCALL", + "channel": "open or connect syscalls on /tmp/ssh-* or $SSH_AUTH_SOCK" }, { - "name": "NSM:Flow", - "channel": "conn.log" + "name": "auditd:SYSCALL", + "channel": "socket/connect with TLS context by unexpected process" }, { - "name": "macos:osquery", - "channel": "execution of trusted tools interacting with external endpoints" + "name": "auditd:SYSCALL", + "channel": "socket/bind: New bind() to a previously closed port shortly after the sequence." + }, + { + "name": "auditd:SYSCALL", + "channel": "sendto/connect" + }, + { + "name": "auditd:SYSCALL", + "channel": "outbound connections" + }, + { + "name": "auditd:SYSCALL", + "channel": "socket/bind: Process binds to a new local port shortly after knock" + }, + { + "name": "auditd:SYSCALL", + "channel": "socket/connect calls showing SSH processes forwarding arbitrary ports" + }, + { + "name": "auditd:SYSCALL", + "channel": "openat,connect -k discovery" + }, + { + "name": "AWS:VPCFlowLogs", + "channel": "Outbound connection to 169.254.169.254 from EC2 workload" + }, + { + "name": "AWS:VPCFlowLogs", + "channel": "Large transfer volume (>20MB) from RDS IP range to external public IPs" + }, + { + "name": "AWS:VPCFlowLogs", + "channel": "High outbound traffic from new region resource" + }, + { + "name": "AWS:VPCFlowLogs", + "channel": "Outbound connections to port 22, 3389" + }, + { + "name": "AWS:VPCFlowLogs", + "channel": "Traffic observed on mirror destination instance" + }, + { + "name": "cni:netflow", + "channel": "outbound connection to internal or external APIs" + }, + { + "name": "ebpf:syscalls", + "channel": "socket connect" + }, + { + "name": "esxi:esxupdate", + "channel": "/var/log/esxupdate.log or /var/log/vmksummary.log" + }, + { + "name": "esxi:hostd", + "channel": "System service interactions" + }, + { + "name": "esxi:hostd", + "channel": "Service initiated connections" + }, + { + "name": "esxi:hostd", + "channel": "Service-Based Network Connection" + }, + { + "name": "esxi:vmkernel", + "channel": "protocol egress" + }, + { + "name": "esxi:vmkernel", + "channel": "network activity" + }, + { + "name": "esxi:vmkernel", + "channel": "None" + }, + { + "name": "esxi:vmkernel", + "channel": "network session initiation with external HTTPS services" + }, + { + "name": "linux:osquery", + "channel": "family=AF_PACKET or protocol raw; process name not in allowlist." + }, + { + "name": "linux:syslog", + "channel": "network" + }, + { + "name": "linux:syslog", + "channel": "postfix/smtpd" + }, + { + "name": "linux:syslog", + "channel": "New Wi-Fi connection established or repeated association failures" + }, + { + "name": "linux:syslog", + "channel": "None" }, { "name": "linux:Sysmon", "channel": "EventCode=3, 22" }, { - "name": "WinEventLog:Microsoft-Windows-Bits-Client/Operational", - "channel": "BITS job lifecycle events such as job create/modify/transfer/complete and URL/remote name fields" + "name": "macos:endpointsecurity", + "channel": "ES_EVENT_TYPE_NOTIFY_CONNECT" }, { - "name": "NSM:Firewall", - "channel": "proxy or TLS inspection logs" + "name": "macos:osquery", + "channel": "process_events/socket_events" + }, + { + "name": "macos:osquery", + "channel": "execution of trusted tools interacting with external endpoints" + }, + { + "name": "macos:osquery", + "channel": "launchd or network_events" + }, + { + "name": "macos:osquery", + "channel": "process_events + launchd" + }, + { + "name": "macos:osquery", + "channel": "process_events, socket_events" + }, + { + "name": "macos:osquery", + "channel": "CONNECT: Long-lived connections from remote-control parents to external IPs/domains" + }, + { + "name": "macos:osquery", + "channel": "None" + }, + { + "name": "macos:unifiedlog", + "channel": "connection attempts" + }, + { + "name": "macos:unifiedlog", + "channel": "connection open" }, { "name": "macos:unifiedlog", "channel": "network connection events" }, { - "name": "esxi:vmkernel", - "channel": "protocol egress" + "name": "macos:unifiedlog", + "channel": "First outbound connection from the same PID/user shortly after an inbound trigger." + }, + { + "name": "macos:unifiedlog", + "channel": "network sessions initiated by remote desktop apps" + }, + { + "name": "macos:unifiedlog", + "channel": "Inbound connections to VNC/SSH ports" + }, + { + "name": "macos:unifiedlog", + "channel": "network" + }, + { + "name": "macos:unifiedlog", + "channel": "Outbound Traffic" + }, + { + "name": "macos:unifiedlog", + "channel": "None" + }, + { + "name": "macos:unifiedlog", + "channel": "networkd or socket" + }, + { + "name": "macos:unifiedlog", + "channel": "log stream network activity" + }, + { + "name": "macos:unifiedlog", + "channel": "Association and authentication events including failures and new SSIDs" + }, + { + "name": "Network", + "channel": "None" + }, + { + "name": "Network Traffic", + "channel": "None" + }, + { + "name": "networkdevice:Flow", + "channel": "Traffic from mirrored interface to mirror target IP" + }, + { + "name": "networkdevice:syslog", + "channel": "Dynamic route changes" + }, + { + "name": "NSM:Connections", + "channel": "web domain alerts" + }, + { + "name": "NSM:Connections", + "channel": "New outbound connection from Safari/Chrome/Firefox/Word" + }, + { + "name": "NSM:Connections", + "channel": "Outbound connections from newly spawned child processes or from the browser to uncommon endpoints or on anomalous ports" + }, + { + "name": "NSM:Connections", + "channel": "Outbound connection after script or installer launch" + }, + { + "name": "NSM:Firewall", + "channel": "Outbound Connections" + }, + { + "name": "NSM:Firewall", + "channel": "proxy or TLS inspection logs" + }, + { + "name": "NSM:Flow", + "channel": "New TCP/443 or TCP/80 to domain not previously seen for the user/host" + }, + { + "name": "NSM:Flow", + "channel": "conn.log" }, { "name": "NSM:Flow", @@ -124,26 +304,10 @@ "name": "NSM:Flow", "channel": "HTTPs connection to tunnels.api.visualstudio.com" }, - { - "name": "WinEventLog:Security", - "channel": "EventCode=5156, 5157" - }, - { - "name": "linux:osquery", - "channel": "family=AF_PACKET or protocol raw; process name not in allowlist." - }, - { - "name": "macos:unifiedlog", - "channel": "First outbound connection from the same PID/user shortly after an inbound trigger." - }, { "name": "NSM:Flow", "channel": "Outbound or inbound TFTP file transfers of ROMMON or firmware binaries" }, - { - "name": "NSM:Connections", - "channel": "Outbound connections from newly spawned child processes or from the browser to uncommon endpoints or on anomalous ports" - }, { "name": "NSM:Flow", "channel": "connection: TCP connections to ports 139/445 to multiple hosts" @@ -152,62 +316,18 @@ "name": "NSM:Flow", "channel": "connection: SMB connections to multiple internal hosts" }, - { - "name": "auditd:SYSCALL", - "channel": "connect/sendto" - }, - { - "name": "macos:endpointsecurity", - "channel": "ES_EVENT_TYPE_NOTIFY_CONNECT" - }, - { - "name": "snmp:access", - "channel": "GETBULK/GETNEXT requests for OIDs associated with configuration parameters" - }, - { - "name": "esxi:hostd", - "channel": "Service initiated connections" - }, - { - "name": "AWS:VPCFlowLogs", - "channel": "Large transfer volume (>20MB) from RDS IP range to external public IPs" - }, - { - "name": "AWS:VPCFlowLogs", - "channel": "High outbound traffic from new region resource" - }, { "name": "NSM:Flow", "channel": "Outbound HTTP/S initiated by newly installed interpreter process" }, - { - "name": "auditd:SYSCALL", - "channel": "open or connect syscalls on /tmp/ssh-* or $SSH_AUTH_SOCK" - }, { "name": "NSM:Flow", "channel": "outbound connections to RMM services or to unusual destination ports" }, - { - "name": "macos:unifiedlog", - "channel": "network sessions initiated by remote desktop apps" - }, - { - "name": "AWS:VPCFlowLogs", - "channel": "Outbound connections to port 22, 3389" - }, - { - "name": "auditd:SYSCALL", - "channel": "socket/connect with TLS context by unexpected process" - }, { "name": "NSM:Flow", "channel": "Multiple failed connections (conn_state=REJ/S0 or history has 'R') across distinct ports from the same src_ip followed by success to a specific port." }, - { - "name": "auditd:SYSCALL", - "channel": "socket/bind: New bind() to a previously closed port shortly after the sequence." - }, { "name": "NSM:Flow", "channel": "Sequence of REJ/S0 then SF success from same src_ip within TimeWindow." @@ -220,18 +340,6 @@ "name": "NSM:Flow", "channel": "Outbound traffic spike through formerly blocked ports/subnets following config change" }, - { - "name": "cni:netflow", - "channel": "outbound connection to internal or external APIs" - }, - { - "name": "macos:osquery", - "channel": "launchd or network_events" - }, - { - "name": "networkdevice:syslog", - "channel": "Dynamic route changes" - }, { "name": "NSM:Flow", "channel": "New egress to Internet by the same UID/host shortly after terminal exec" @@ -240,30 +348,10 @@ "name": "NSM:Flow", "channel": "connection: Inbound connections to SSH or VPN ports" }, - { - "name": "macos:unifiedlog", - "channel": "Inbound connections to VNC/SSH ports" - }, { "name": "NSM:Flow", "channel": "External access to container ports (2375, 6443)" }, - { - "name": "linux:syslog", - "channel": "network" - }, - { - "name": "macos:osquery", - "channel": "process_events + launchd" - }, - { - "name": "esxi:esxupdate", - "channel": "/var/log/esxupdate.log or /var/log/vmksummary.log" - }, - { - "name": "ebpf:syscalls", - "channel": "socket connect" - }, { "name": "NSM:Flow", "channel": "remote access" @@ -272,26 +360,6 @@ "name": "NSM:Flow", "channel": "Outbound Connections" }, - { - "name": "macos:unifiedlog", - "channel": "network" - }, - { - "name": "AWS:VPCFlowLogs", - "channel": "Traffic observed on mirror destination instance" - }, - { - "name": "networkdevice:Flow", - "channel": "Traffic from mirrored interface to mirror target IP" - }, - { - "name": "macos:osquery", - "channel": "process_events, socket_events" - }, - { - "name": "esxi:vmkernel", - "channel": "network activity" - }, { "name": "NSM:Flow", "channel": "connection attempts" @@ -300,26 +368,10 @@ "name": "NSM:Flow", "channel": "High-volume or repeated SNMP GETBULK/GETNEXT queries from untrusted or external IPs" }, - { - "name": "auditd:SYSCALL", - "channel": "sendto/connect" - }, { "name": "NSM:Flow", "channel": "outbound connections from host during or immediately after image build" }, - { - "name": "macos:unifiedlog", - "channel": "Outbound Traffic" - }, - { - "name": "esxi:hostd", - "channel": "Service-Based Network Connection" - }, - { - "name": "linux:syslog", - "channel": "postfix/smtpd" - }, { "name": "NSM:Flow", "channel": "new outbound connection from browser/office lineage" @@ -328,38 +380,10 @@ "name": "NSM:Flow", "channel": "new outbound connection from exploited lineage" }, - { - "name": "macos:osquery", - "channel": "CONNECT: Long-lived connections from remote-control parents to external IPs/domains" - }, - { - "name": "auditd:SYSCALL", - "channel": "outbound connections" - }, - { - "name": "macos:unifiedlog", - "channel": "None" - }, - { - "name": "esxi:vmkernel", - "channel": "None" - }, - { - "name": "macos:unifiedlog", - "channel": "networkd or socket" - }, - { - "name": "macos:unifiedlog", - "channel": "log stream network activity" - }, { "name": "NSM:Flow", "channel": "Multiple failed connections to closed ports (history contains 'R' or conn_state in {REJ, S0}) followed by a successful handshake to a new port from same src within TimeWindowKnock" }, - { - "name": "auditd:SYSCALL", - "channel": "socket/bind: Process binds to a new local port shortly after knock" - }, { "name": "NSM:Flow", "channel": "Closed-port hits followed by success from same src_ip" @@ -368,42 +392,6 @@ "name": "NSM:Flow", "channel": "Port-knock pattern from one src to device unicast,broadcast,network addresses on same port within TimeWindowKnock" }, - { - "name": "WinEventLog:Microsoft-Windows-WLAN-AutoConfig", - "channel": "EventCode=8001, 8002, 8003" - }, - { - "name": "linux:syslog", - "channel": "New Wi-Fi connection established or repeated association failures" - }, - { - "name": "macos:unifiedlog", - "channel": "Association and authentication events including failures and new SSIDs" - }, - { - "name": "auditd:SYSCALL", - "channel": "socket/connect calls showing SSH processes forwarding arbitrary ports" - }, - { - "name": "esxi:vmkernel", - "channel": "network session initiation with external HTTPS services" - }, - { - "name": "WinEventLog:System", - "channel": "EventCode=8001" - }, - { - "name": "linux:syslog", - "channel": "None" - }, - { - "name": "macos:osquery", - "channel": "None" - }, - { - "name": "auditd:SYSCALL", - "channel": "openat,connect -k discovery" - }, { "name": "NSM:Flow", "channel": "Unexpected inbound/outbound TFTP traffic for device image files" @@ -411,6 +399,30 @@ { "name": "NSM:Flow", "channel": "Unexpected or unauthorized inbound connections to SNMP, NETCONF, or RESTCONF services" + }, + { + "name": "snmp:access", + "channel": "GETBULK/GETNEXT requests for OIDs associated with configuration parameters" + }, + { + "name": "WinEventLog:Microsoft-Windows-Bits-Client/Operational", + "channel": "BITS job lifecycle events such as job create/modify/transfer/complete and URL/remote name fields" + }, + { + "name": "WinEventLog:Microsoft-Windows-WLAN-AutoConfig", + "channel": "EventCode=8001, 8002, 8003" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=5156, 5157" + }, + { + "name": "WinEventLog:Sysmon", + "channel": "EventCode=3, 22" + }, + { + "name": "WinEventLog:System", + "channel": "EventCode=8001" } ] } diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71.json index 5d447238f9..08d83dbbb6 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--da5a1aa2-4f4e-474f-bc36-8e77e80d8c2b", + "id": "bundle--5ac46c2b-7cab-4d4b-ba14-1a2f019ba33d", "spec_version": "2.0", "objects": [ { @@ -19,190 +19,103 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-23T18:39:07.536Z", "name": "File Access", "description": "To events where a file is opened or accessed, making its contents available to the requester. This includes reading, executing, or interacting with files by authorized or unauthorized entities. Examples include logging file access events (e.g., Windows Event ID 4663), monitoring file reads, and detecting unusual file access patterns. Examples: \n\n- File Read Operations: A user opens a sensitive document (e.g., financial_report.xlsx) on a shared drive.\n- File Execution: A script or executable file is accessed and executed (e.g., malware.exe is run from a temporary directory).\n- Unauthorized File Access: An unauthorized user attempts to access a protected configuration file (e.g., `/etc/passwd` on Linux or `System32` files on Windows).\n- File Access Patterns: Bulk access to multiple files in a short time (e.g., mass access to documents on a file server).\n- File Access via Network: Files on a network share are accessed remotely (e.g., logs of SMB file access).", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", - "enterprise-attack" + "enterprise-attack", + "mobile-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { - "name": "File", - "channel": "None" + "name": "macOS:unifiedlog", + "channel": "looking for file access to scripts with abnormal encoding patterns" }, { - "name": "m365:unified", - "channel": "FileAccessed, MailboxAccessed" + "name": "android:logcat", + "channel": "READ or COPY operations where path matches external/shared locations of other apps (e.g., /storage/emulated/0/Android/data//files/, /storage/emulated/0/Download//*)" }, { - "name": "auditd:SYSCALL", - "channel": "open, read, or stat of browser config files" + "name": "android:logcat", + "channel": "KeyChain/AndroidKeyStore read of token alias" }, { - "name": "macos:unifiedlog", - "channel": "Access to ~/Library/*/Safari or Chrome directories by non-browser processes" - }, - { - "name": "WinEventLog:Security", - "channel": "EventCode=4663, 4670, 4656" - }, - { - "name": "macos:unifiedlog", - "channel": "file events" - }, - { - "name": "gcp:audit", - "channel": "Write operations to storage" - }, - { - "name": "esxi:vmkernel", - "channel": "VMFS access logs" - }, - { - "name": "macos:endpointsecurity", - "channel": "ES_EVENT_TYPE_NOTIFY_OPEN: Open of .dylib/.so in user-writable locations" - }, - { - "name": "auditd:SYSCALL", - "channel": "open: File access attempt on /tmp/krb5cc_* or /tmp/krb5.ccache" - }, - { - "name": "macos:unifiedlog", - "channel": "Kerberos framework calls to API:{uuid} cache outside normal process lineage" - }, - { - "name": "auditd:SYSCALL", - "channel": "openat" + "name": "android:logcat", + "channel": "READ/LIST/STAT of /sdcard|/storage/emulated/0|/Android/media|/Documents with >N distinct paths in TimeWindow" }, { "name": "auditd:FILE", "channel": "/home/*/.mozilla/firefox/*/logins.json OR /home/*/.config/google-chrome/*/Login Data" }, - { - "name": "macos:unifiedlog", - "channel": "~/Library/Application Support/Google/Chrome/*/Login Data OR ~/Library/Application Support/Firefox/*/logins.json" - }, - { - "name": "auditd:SYSCALL", - "channel": "open" - }, { "name": "auditd:FILE", "channel": "/proc/*/mem read attempt" }, + { + "name": "auditd:FS", + "channel": "read: File access to /proc/modules or /sys/module/" + }, { "name": "auditd:PATH", "channel": "Read access to known backup software configuration files (e.g., /etc/rsnapshot.conf, /opt/veeam/config.ini)" }, { - "name": "macos:unifiedlog", - "channel": "Read access to Time Machine plist files or CCC configurations in ~/Library/Preferences/" + "name": "auditd:PATH", + "channel": "open: Access to sensitive log files (/var/log/auth.log, /var/log/secure, /var/log/syslog)" + }, + { + "name": "auditd:PATH", + "channel": "PATH" + }, + { + "name": "auditd:PATH", + "channel": "file read" + }, + { + "name": "auditd:SYSCALL", + "channel": "open, read, or stat of browser config files" + }, + { + "name": "auditd:SYSCALL", + "channel": "open: File access attempt on /tmp/krb5cc_* or /tmp/krb5.ccache" + }, + { + "name": "auditd:SYSCALL", + "channel": "openat" + }, + { + "name": "auditd:SYSCALL", + "channel": "open" }, { "name": "auditd:SYSCALL", "channel": "open, read" }, - { - "name": "linux:syslog", - "channel": "auth.log or custom tool logs" - }, - { - "name": "fs:fsusage", - "channel": "file" - }, - { - "name": "linux:syslog", - "channel": "/var/log/syslog" - }, - { - "name": "macos:osquery", - "channel": "file_events" - }, { "name": "auditd:SYSCALL", "channel": "open, flock, fcntl, unlink" }, - { - "name": "fs:fsusage", - "channel": "File Access Monitor" - }, - { - "name": "macos:unifiedlog", - "channel": "log stream - file subsystem" - }, { "name": "auditd:SYSCALL", "channel": "read/open of sensitive files" }, - { - "name": "macos:unifiedlog", - "channel": "file read of sensitive directories" - }, - { - "name": "esxi:hostd", - "channel": "datastore file access" - }, { "name": "auditd:SYSCALL", "channel": "Unusual processes accessing or modifying cookie databases" }, - { - "name": "macos:unifiedlog", - "channel": "Abnormal process access to Safari or Chrome cookie storage" - }, { "name": "auditd:SYSCALL", "channel": "PATH records referencing /dev/video*" }, - { - "name": "macos:endpointsecurity", - "channel": "open: Process opens AppleCamera/IOUSB device nodes or AVFoundation frameworks" - }, - { - "name": "ebpf:syscalls", - "channel": "container_file_activity" - }, - { - "name": "fs:fsusage", - "channel": "Disk Activity Tracing" - }, - { - "name": "macos:keychain", - "channel": "Access to Keychain DB or system.keychain" - }, { "name": "auditd:SYSCALL", "channel": "open, read: /etc/ssl/, /etc/pki/, ~/.pki/nssdb/" }, - { - "name": "macos:keychain", - "channel": "~/Library/Keychains, /Library/Keychains" - }, - { - "name": "m365:unified", - "channel": "Bulk downloads or API extractions from Microsoft-hosted data repositories (e.g., Dynamics 365)" - }, - { - "name": "auditd:PATH", - "channel": "open: Access to sensitive log files (/var/log/auth.log, /var/log/secure, /var/log/syslog)" - }, - { - "name": "macos:unifiedlog", - "channel": "open: Access to /var/log/system.log or related security event logs" - }, - { - "name": "azure:activity", - "channel": "CollectGuestLogs: Unexpected collection of guest logs by Azure VM Agent outside normal maintenance windows" - }, - { - "name": "esxi:hostd", - "channel": "read: Access to sensitive log files by non-admin users" - }, { "name": "auditd:SYSCALL", "channel": "Processes reading credential or token cache files" @@ -211,138 +124,42 @@ "name": "auditd:SYSCALL", "channel": "read/open of sensitive file directories" }, - { - "name": "esxi:hostd", - "channel": "datastore/log file access" - }, - { - "name": "fs:fsusage", - "channel": "filesystem activity" - }, - { - "name": "WinEventLog:Microsoft-Windows-Windows Defender/Operational", - "channel": "Suspicious file execution on removable media path" - }, - { - "name": "auditd:PATH", - "channel": "PATH" - }, { "name": "auditd:SYSCALL", "channel": "open/read of sensitive config or secret files" }, - { - "name": "macos:unifiedlog", - "channel": "open/read of *.plist or .env files" - }, - { - "name": "ebpf:syscalls", - "channel": "open/read on secret mount paths" - }, - { - "name": "CloudTrail:GetObject", - "channel": "sensitive credential files in buckets or local image storage" - }, { "name": "auditd:SYSCALL", "channel": "open/read of sensitive directories" }, - { - "name": "macos:unifiedlog", - "channel": "read of user document directories" - }, - { - "name": "esxi:syslog", - "channel": "guest OS outbound transfer logs" - }, - { - "name": "fs:fsusage", - "channel": "Filesystem Call Monitoring" - }, - { - "name": "esxi:hostd", - "channel": "vSphere File API Access" - }, { "name": "auditd:SYSCALL", "channel": "open/read: Access to /proc/self/status with focus on TracerPID field" }, - { - "name": "fs:fsusage", - "channel": "read/write" - }, - { - "name": "esxis:vmkernel", - "channel": "Datastore Access" - }, { "name": "auditd:SYSCALL", "channel": "open/read access to ~/.bash_history" }, - { - "name": "macos:endpointsecurity", - "channel": "open or read syscall to ~/.bash_history" - }, - { - "name": "macos:unifiedlog", - "channel": "read access to ~/Library/Keychains/login.keychain-db" - }, { "name": "auditd:SYSCALL", "channel": "open,read" }, - { - "name": "macos:unifiedlog", - "channel": "filesystem and process events" - }, { "name": "auditd:SYSCALL", "channel": "open/read system calls to ~/.bash_history or /etc/shadow" }, - { - "name": "macos:unifiedlog", - "channel": "read access to ~/Library/Keychains or history files by terminal processes" - }, { "name": "auditd:SYSCALL", "channel": "read of /run/secrets or docker volumes by non-entrypoint process" }, - { - "name": "macos:unifiedlog", - "channel": "access to /Volumes/SharePoint or network mount" - }, { "name": "auditd:SYSCALL", "channel": "Reads of ~/.bash_history, ~/.mozilla, or access to /dev/input" }, - { - "name": "macos:unifiedlog", - "channel": "Access to ~/Library/Safari/Bookmarks.plist or recent files" - }, { "name": "auditd:SYSCALL", "channel": "open/read" }, - { - "name": "macos:unifiedlog", - "channel": "access to keychain database" - }, - { - "name": "auditd:PATH", - "channel": "file read" - }, - { - "name": "linux:syslog", - "channel": "kernel messages related to cryptographic operations, module loading, and filesystem access patterns" - }, - { - "name": "fs:fsevents", - "channel": "file system events indicating access to system configuration files and environmental information sources" - }, - { - "name": "macos:endpointsecurity", - "channel": "es_event_open, es_event_exec" - }, { "name": "auditd:SYSCALL", "channel": "open: Access to named pipes or FIFO in /tmp or /dev/shm by unexpected processes" @@ -351,82 +168,22 @@ "name": "auditd:SYSCALL", "channel": "open or read to browser cookie storage" }, - { - "name": "fs:fsusage", - "channel": "file open for known browser cookie paths" - }, { "name": "auditd:SYSCALL", "channel": "open, read, mount" }, - { - "name": "fs:fsusage", - "channel": "file reads/writes from /Volumes/" - }, - { - "name": "macos:unifiedlog", - "channel": "log stream - file provider subsystem" - }, { "name": "auditd:SYSCALL", "channel": "file" }, - { - "name": "kubernetes:audit", - "channel": "GET or LIST requests to /var/run/secrets/kubernetes.io/serviceaccount/ followed by access to the Kubernetes API server" - }, { "name": "auditd:SYSCALL", "channel": "Access to /var/lib/sss/secrets/secrets.ldb or .secrets.mkey" }, - { - "name": "fs:quarantine", - "channel": "/var/log/quarantine.log" - }, - { - "name": "desktop:file_manager", - "channel": "nautilus, dolphin, or gvfs logs" - }, - { - "name": "linux:osquery", - "channel": "/proc/*/maps access" - }, { "name": "auditd:SYSCALL", "channel": "open/read of sensitive directories (/etc, /home/*)" }, - { - "name": "macos:unifiedlog", - "channel": "read/write of user documents prior to upload" - }, - { - "name": "esxi:hostd", - "channel": "file copy or datastore upload via HTTPS" - }, - { - "name": "macos:unifiedlog", - "channel": "open/read access to private key files (id_rsa, *.pem, *.p12)" - }, - { - "name": "linux:osquery", - "channel": "None" - }, - { - "name": "macos:osquery", - "channel": "None" - }, - { - "name": "fs:fileevents", - "channel": "File system access events with kFSEventStreamEventFlagItemRemoved, kFSEventStreamEventFlagItemRenamed flags for environmental artifact collection (/System/Library, /usr/sbin, plist files)" - }, - { - "name": "auditd:FS", - "channel": "read: File access to /proc/modules or /sys/module/" - }, - { - "name": "macos:unifiedlog", - "channel": "read: File access to /System/Library/Extensions/ or related kernel extension paths" - }, { "name": "auditd:SYSCALL", "channel": "PATH" @@ -435,9 +192,297 @@ "name": "auditd:SYSCALL", "channel": "open/read on ~/.local/share/keepassxc/* OR ~/.password-store/*" }, + { + "name": "auditd:SYSCALL", + "channel": "attempts to read /proc/* entries at scale (openat/getdents64/readlink) or access denied for /proc traversal; correlate to app UID" + }, + { + "name": "azure:activity", + "channel": "CollectGuestLogs: Unexpected collection of guest logs by Azure VM Agent outside normal maintenance windows" + }, + { + "name": "CloudTrail:GetObject", + "channel": "sensitive credential files in buckets or local image storage" + }, + { + "name": "desktop:file_manager", + "channel": "nautilus, dolphin, or gvfs logs" + }, + { + "name": "ebpf:syscalls", + "channel": "container_file_activity" + }, + { + "name": "ebpf:syscalls", + "channel": "open/read on secret mount paths" + }, + { + "name": "esxi:hostd", + "channel": "datastore file access" + }, + { + "name": "esxi:hostd", + "channel": "read: Access to sensitive log files by non-admin users" + }, + { + "name": "esxi:hostd", + "channel": "datastore/log file access" + }, + { + "name": "esxi:hostd", + "channel": "vSphere File API Access" + }, + { + "name": "esxi:hostd", + "channel": "file copy or datastore upload via HTTPS" + }, + { + "name": "esxi:syslog", + "channel": "guest OS outbound transfer logs" + }, + { + "name": "esxi:vmkernel", + "channel": "VMFS access logs" + }, + { + "name": "esxis:vmkernel", + "channel": "Datastore Access" + }, + { + "name": "File", + "channel": "None" + }, + { + "name": "fs:fileevents", + "channel": "File system access events with kFSEventStreamEventFlagItemRemoved, kFSEventStreamEventFlagItemRenamed flags for environmental artifact collection (/System/Library, /usr/sbin, plist files)" + }, + { + "name": "fs:fsevents", + "channel": "file system events indicating access to system configuration files and environmental information sources" + }, + { + "name": "fs:fsusage", + "channel": "file" + }, + { + "name": "fs:fsusage", + "channel": "File Access Monitor" + }, + { + "name": "fs:fsusage", + "channel": "Disk Activity Tracing" + }, + { + "name": "fs:fsusage", + "channel": "filesystem activity" + }, + { + "name": "fs:fsusage", + "channel": "Filesystem Call Monitoring" + }, + { + "name": "fs:fsusage", + "channel": "read/write" + }, + { + "name": "fs:fsusage", + "channel": "file open for known browser cookie paths" + }, + { + "name": "fs:fsusage", + "channel": "file reads/writes from /Volumes/" + }, + { + "name": "fs:quarantine", + "channel": "/var/log/quarantine.log" + }, + { + "name": "gcp:audit", + "channel": "Write operations to storage" + }, + { + "name": "iOS:unifiedlog", + "channel": "READ operations from App Group containers (/var/mobile/Containers/Shared/AppGroup/...) or Files/Photos provider mountpoints, especially when group not owned by bundle" + }, + { + "name": "iOS:unifiedlog", + "channel": "readdir/stat/read of /private/var/mobile/Containers/Shared/AppGroup|/Library/Mobile Documents|/On\\\\ My\\\\ iPhone with >N distinct paths in TimeWindow" + }, + { + "name": "kubernetes:audit", + "channel": "GET or LIST requests to /var/run/secrets/kubernetes.io/serviceaccount/ followed by access to the Kubernetes API server" + }, + { + "name": "linux:osquery", + "channel": "/proc/*/maps access" + }, + { + "name": "linux:osquery", + "channel": "None" + }, + { + "name": "linux:syslog", + "channel": "auth.log or custom tool logs" + }, + { + "name": "linux:syslog", + "channel": "/var/log/syslog" + }, + { + "name": "linux:syslog", + "channel": "kernel messages related to cryptographic operations, module loading, and filesystem access patterns" + }, + { + "name": "m365:unified", + "channel": "FileAccessed, MailboxAccessed" + }, + { + "name": "m365:unified", + "channel": "Bulk downloads or API extractions from Microsoft-hosted data repositories (e.g., Dynamics 365)" + }, + { + "name": "macos:endpointsecurity", + "channel": "ES_EVENT_TYPE_NOTIFY_OPEN: Open of .dylib/.so in user-writable locations" + }, + { + "name": "macos:endpointsecurity", + "channel": "open: Process opens AppleCamera/IOUSB device nodes or AVFoundation frameworks" + }, + { + "name": "macos:endpointsecurity", + "channel": "open or read syscall to ~/.bash_history" + }, + { + "name": "macos:endpointsecurity", + "channel": "es_event_open, es_event_exec" + }, + { + "name": "macos:keychain", + "channel": "Access to Keychain DB or system.keychain" + }, + { + "name": "macos:keychain", + "channel": "~/Library/Keychains, /Library/Keychains" + }, + { + "name": "macos:osquery", + "channel": "file_events" + }, + { + "name": "macos:osquery", + "channel": "None" + }, + { + "name": "macos:unifiedlog", + "channel": "Access to ~/Library/*/Safari or Chrome directories by non-browser processes" + }, + { + "name": "macos:unifiedlog", + "channel": "file events" + }, + { + "name": "macos:unifiedlog", + "channel": "Kerberos framework calls to API:{uuid} cache outside normal process lineage" + }, + { + "name": "macos:unifiedlog", + "channel": "~/Library/Application Support/Google/Chrome/*/Login Data OR ~/Library/Application Support/Firefox/*/logins.json" + }, + { + "name": "macos:unifiedlog", + "channel": "Read access to Time Machine plist files or CCC configurations in ~/Library/Preferences/" + }, + { + "name": "macos:unifiedlog", + "channel": "log stream - file subsystem" + }, + { + "name": "macos:unifiedlog", + "channel": "file read of sensitive directories" + }, + { + "name": "macos:unifiedlog", + "channel": "Abnormal process access to Safari or Chrome cookie storage" + }, + { + "name": "macos:unifiedlog", + "channel": "open: Access to /var/log/system.log or related security event logs" + }, + { + "name": "macos:unifiedlog", + "channel": "open/read of *.plist or .env files" + }, + { + "name": "macos:unifiedlog", + "channel": "read of user document directories" + }, + { + "name": "macos:unifiedlog", + "channel": "read access to ~/Library/Keychains/login.keychain-db" + }, + { + "name": "macos:unifiedlog", + "channel": "filesystem and process events" + }, + { + "name": "macos:unifiedlog", + "channel": "read access to ~/Library/Keychains or history files by terminal processes" + }, + { + "name": "macos:unifiedlog", + "channel": "access to /Volumes/SharePoint or network mount" + }, + { + "name": "macos:unifiedlog", + "channel": "Access to ~/Library/Safari/Bookmarks.plist or recent files" + }, + { + "name": "macos:unifiedlog", + "channel": "access to keychain database" + }, + { + "name": "macos:unifiedlog", + "channel": "log stream - file provider subsystem" + }, + { + "name": "macos:unifiedlog", + "channel": "read/write of user documents prior to upload" + }, + { + "name": "macos:unifiedlog", + "channel": "open/read access to private key files (id_rsa, *.pem, *.p12)" + }, + { + "name": "macos:unifiedlog", + "channel": "read: File access to /System/Library/Extensions/ or related kernel extension paths" + }, { "name": "macos:unifiedlog", "channel": "*.opvault OR *.ldb OR *.kdbx" + }, + { + "name": "macos:unifiedlog", + "channel": "Recent download opened or executed" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application reads multiple local container files, browser-history artifacts, messaging artifacts, or local records in rapid sequence during the collection phase" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application performs burst reads across local system paths, external storage, media directories, cache locations, or local database files within a short interval as the primary collection phase" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application loads executable or library from external or writable directory (e.g., /sdcard/, app cache) prior to execution" + }, + { + "name": "WinEventLog:Microsoft-Windows-Windows Defender/Operational", + "channel": "Suspicious file execution on removable media path" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=4663, 4670, 4656" } ] } diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c.json index 3bb3aa4aa9..76038b5ea5 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1c5fe617-975f-43dd-831d-42cdaa9500c0", + "id": "bundle--72320def-8d97-4833-87f5-413ee88ddb55", "spec_version": "2.0", "objects": [ { @@ -19,17 +19,17 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-23T17:17:05.280Z", "name": "File Creation", "description": "A new file is created on a system or network storage. This action often signifies an operation such as saving a document, writing data, or deploying a file. Logging these events helps identify legitimate or potentially malicious file creation activities. Examples include logging file creation events (e.g., Sysmon Event ID 11 or Linux auditd logs). ", - "x_mitre_data_source_ref": "", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", - "enterprise-attack" + "enterprise-attack", + "mobile-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { @@ -387,6 +387,162 @@ { "name": "AWS:CloudTrail", "channel": "PutObject" + }, + { + "name": "android:logcat", + "channel": "App UID writes new file with suspicious extension/location (.tmp, .dat, .enc, /data/data//files/, /sdcard/Download/) and high estimated entropy" + }, + { + "name": "iOS:unifiedlog", + "channel": "NSFileHandle/NSFileManager writes creating high-entropy files within app container (/var/mobile/Containers/Data/Application//tmp|Library/Caches)" + }, + { + "name": "android:logcat", + "channel": "App UID writes edited media to container paths (e.g., /data/data//files/, .../cache/, /storage/emulated/0/Pictures//) with high delta in size vs. original and elevated estimated segment entropy " + }, + { + "name": "android:logcat", + "channel": "Create/write of high-entropy files in /data/data//(files|cache)/ or /storage/emulated/0/<...> with .dex/.so/.jar/.tmp/.bin" + }, + { + "name": "iOS:unifiedlog", + "channel": "Create/write of high-entropy Mach-O/bundle or generic blob in /var/mobile/Containers/Data/Application//(tmp|Library/Caches)/" + }, + { + "name": "android:logcat", + "channel": "Create/write under /data/data//(files|cache)/ or /storage/emulated/0/ with extension .dex/.jar/.so/.zip/.tmp/.js and elevated entropy" + }, + { + "name": "iOS:unifiedlog", + "channel": "Create/write in /var/mobile/Containers/Data/Application//(tmp|Library/Caches)/ for .js/.bundle/.dylib/.zip with elevated entropy" + }, + { + "name": "android:logcat", + "channel": "CREATE/WRITE of archive or container (.zip/.gz/.7z/.db copy) that aggregates files pulled from other-package paths" + }, + { + "name": "iOS:unifiedlog", + "channel": "CREATE/WRITE of archive/container (.zip/.gz/.7z/.db export) aggregating recently read items" + }, + { + "name": "android:logcat", + "channel": "CREATE/WRITE to app-writable DB/file path indicating clipboard dump (e.g., clipboard.db, clip_*.txt)" + }, + { + "name": "iOS:unifiedlog", + "channel": "CREATE/WRITE of clipboard dump artifacts in container (clipboard.db, clip_*.txt, caches)" + }, + { + "name": "android:logcat", + "channel": "CREATE/WRITE paths like /data/data//files/(keys|inputs)/.*\\\\.db|\\\\.txt|\\\\.log" + }, + { + "name": "iOS:unifiedlog", + "channel": "CREATE/WRITE clipboard/keylog artifacts (clipboard.db, keys_*.txt) in container" + }, + { + "name": "android:logcat", + "channel": "CREATE/WRITE to /data/data//(files|databases)/(keys|inputs|clipboard).*\\\\.(db|sqlite|txt|log)" + }, + { + "name": "iOS:unifiedlog", + "channel": "CREATE/WRITE of keylog artifacts (keys_*.txt, inputs.db) within app/keyboard container" + }, + { + "name": "android:logcat", + "channel": "CREATE/WRITE to /data/data//(files|databases)/(creds|form|prompt).*\\\\.(db|sqlite|json|txt)" + }, + { + "name": "iOS:unifiedlog", + "channel": "CREATE/WRITE of form cache/credential-like artifacts (forms.db, creds.json) in container" + }, + { + "name": "android:logcat", + "channel": "CREATE/WRITE /data/data//(files|databases)/(app_inventory|pkg_list).*\\\\.(json|txt|db)" + }, + { + "name": "iOS:unifiedlog", + "channel": "CREATE/WRITE container paths like /Library/Caches/app_inventory.*\\\\.(json|plist|db)" + }, + { + "name": "android:logcat", + "channel": "CREATE/WRITE /data/data//(files|databases)/(security_inventory|policy_audit).*\\\\.(json|txt|db|plist)" + }, + { + "name": "iOS:unifiedlog", + "channel": "CREATE/WRITE of /Library/Caches/security_inventory.*\\\\.(json|plist|db)" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Browser/WebView process creates downloaded payloads, temporary files, dropped archives, or unusual cached web artifacts shortly after visiting external content" + }, + { + "name": "MobileEDR:telemetry", + "channel": "File writes from removable-media or USB-associated paths into download, package staging, temp, or application-accessible storage shortly after USB connection" + }, + { + "name": "MobileEDR:telemetry", + "channel": "large file write originating from /mnt/usb or external mounted storage" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Recently installed or updated trusted app writes staging, cache, buffer, or export artifacts inconsistent with its approved function, especially when temporally adjacent to sensitive resource access or outbound transfer" + }, + { + "name": "MobileEDR:telemetry", + "channel": "App stages, buffers, caches, or exports data locally immediately before communication with legitimate external web-service endpoints in a way inconsistent with normal sync or offline workflow" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Burst write to cache, buffer, temp, staging, or export path occurred between inbound retrieval and outbound write to same public web-service class" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Burst write to media, cache, temp, export, or staging path occurred during or immediately after camera session from same app identity" + }, + { + "name": "MobileEDR:telemetry", + "channel": "App writes encoded/encrypted blobs (high entropy data) to local storage or memory buffers prior to transmission" + }, + { + "name": "MobileEDR:telemetry", + "channel": "App writes high-entropy encrypted blobs to local storage or memory buffers prior to transmission" + }, + { + "name": "MobileEDR:telemetry", + "channel": "App writes asymmetric-encrypted blobs or encoded ciphertext to local buffers or files prior to transmission" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application reads multiple user-data files, media objects, message stores, or app-private records in burst sequence immediately before packaging or encryption activity" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application writes archive-like container or high-entropy packaged blob to app storage, cache, temp path, or shared external path after burst collection activity" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application writes new large container, temp package, or high-entropy blob after clustered local data access and before outbound communication" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application performs burst reads across local system paths, external storage, media directories, cache locations, or local database files within a short interval as the primary collection phase" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application writes newly retrieved binary, archive, script-like asset, overlay content, library, or opaque payload to app-private, cache, temp, or shared external path as the primary local effect of transfer" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Managed app writes newly retrieved container-local asset, dylib-like resource, archive, or opaque payload shortly after remote retrieval as the strongest local effect" + }, + { + "name": "MobileEDR:telemetry", + "channel": "APK, DEX, native library, or package-associated executable content is written, expanded, or swapped in app package paths, staging paths, or installer cache immediately before or during application replacement" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application modifies protected configuration, local control files, security settings, or tool-related data immediately before security service degradation or non-reporting state" } ] } diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json index 7e7a3951c4..d28e700705 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ffa8f84e-1850-4961-9f3f-3bf78ed87e12", + "id": "bundle--fa34f197-ce21-4dc6-82c7-2f38b26c69e2", "spec_version": "2.0", "objects": [ { @@ -19,7 +19,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T15:14:34.343Z", + "modified": "2026-04-22T14:48:50.367Z", "name": "Network Traffic Content", "description": "The full packet capture (PCAP) or session data that logs both protocol headers and payload content. This allows analysts to inspect command and control (C2) traffic, exfiltration, and other suspicious activity within network communications. Unlike metadata-based logs, full content analysis enables deeper protocol inspection, payload decoding, and forensic investigations.\n\n*Data Collection Measures:*\n\n- Network Packet Capture (Full Content Logging)\n - Wireshark / tcpdump / tshark\n - Full packet captures (PCAP files) for manual analysis or IDS correlation. `tcpdump -i eth0 -w capture.pcap`\n - Zeek (formerly Bro)\n - Extracts protocol headers and payload details into structured logs. `echo \"redef Log::default_store = Log::ASCII;\" > local.zeek | zeek -Cr capture.pcap local.zeek`\n - Suricata / Snort (IDS/IPS with PCAP Logging)\n - Deep packet inspection (DPI) with signature-based and behavioral analysis. `suricata -c /etc/suricata/suricata.yaml -i eth0 -l /var/log/suricata`\n- Host-Based Collection\n - Sysmon Event ID 22 \u2013 DNS Query Logging, Captures DNS requests made by processes, useful for detecting C2 domains.\n - Sysmon Event ID 3 \u2013 Network Connection Initiated, Logs process-to-network connection relationships.\n - AuditD (Linux) \u2013 syscall=connect, Monitors outbound network requests from processes. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity`\n- Cloud & SaaS Traffic Collection\n - AWS VPC Flow Logs / Azure NSG Flow Logs / Google VPC Flow Logs, Captures metadata about inbound/outbound network traffic.\n - Cloud IDS (AWS GuardDuty, Azure Sentinel, Google Chronicle), Detects malicious activity in cloud environments by analyzing network traffic patterns.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -29,20 +29,408 @@ "mobile-attack", "enterprise-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { - "name": "Network Traffic", + "name": "Traffic", "channel": "None" }, + { + "name": "ALB:HTTPLogs", + "channel": "AWS ALB/ELB/GCP/Azure Application Gateway HTTP logs with unusual methods, long URIs, serialized payloads, 4xx/5xx bursts" + }, + { + "name": "apache:access_log", + "channel": "Unusual HTTP POST or PUT requests to paths such as '/uploads/', '/admin/', or CMS plugin folders" + }, + { + "name": "API:ConfigRepoAudit", + "channel": "Access to configuration repository endpoints, unusual enumeration requests or mass downloads" + }, + { + "name": "auditd:SYSCALL", + "channel": "setsockopt, ioctl modifying ARP entries" + }, + { + "name": "AWS:VPCFlowLogs", + "channel": "Traffic between instances" + }, + { + "name": "AWS:VPCFlowLogs", + "channel": "Large volume of malformed or synthetic payloads to application endpoints prior to failure" + }, + { + "name": "AWS:VPCFlowLogs", + "channel": "Unusual volume of data transferred from S3 storage endpoints to non-corporate IPs" + }, + { + "name": "AWS:VPCFlowLogs", + "channel": "High volume internal-to-internal IP transfer or cross-account cloud transfer" + }, + { + "name": "azure:activity", + "channel": "networkInsightsLogs" + }, + { + "name": "azure:vpcflow", + "channel": "HTTP requests to 169.254.169.254 or Azure Metadata endpoints" + }, + { + "name": "container:proxy", + "channel": "outbound/inbound network activity from spawned pods" + }, + { + "name": "docker:events", + "channel": "remote API calls to /containers/create or /containers/{id}/start" + }, + { + "name": "docker:stats", + "channel": "unusual network TX/RX byte deltas" + }, { "name": "ebpf:syscalls", "channel": "Process within container accesses link-local address 169.254.169.254" }, { - "name": "WebProxy:AccessLogs", - "channel": "SSRF-like patterns accessing metadata endpoint through proxy (e.g., Host: 169.254.169.254)" + "name": "EDR:hunting", + "channel": "Advanced Hunting: DeviceProcessEvents + DeviceNetworkEvents" + }, + { + "name": "esxcli:network", + "channel": "Socket sessions with randomized payloads inconsistent with TLS" + }, + { + "name": "esxcli:network", + "channel": "listening sockets bound to non-standard ports" + }, + { + "name": "esxcli:network", + "channel": "listening sockets bound with non-standard encapsulated protocols" + }, + { + "name": "esxcli:network", + "channel": "Socket inspection showing RSA key exchange outside baseline endpoints" + }, + { + "name": "esxi:vmkernel", + "channel": "Network activity" + }, + { + "name": "esxi:vmkernel", + "channel": "Outbound traffic using encoded payloads post-login" + }, + { + "name": "esxi:vmkernel", + "channel": "HTTPS POST connections to webhook endpoints" + }, + { + "name": "esxi:vmkernel", + "channel": "Inspection of sockets showing encrypted sessions from non-baseline processes" + }, + { + "name": "esxi:vmkernel", + "channel": "HTTPS POST connections to pastebin-like domains" + }, + { + "name": "esxi:vmkernel", + "channel": "network stack module logs" + }, + { + "name": "esxi:vmkernel", + "channel": "Suspicious traffic filtered or redirected by VM networking stack" + }, + { + "name": "esxi:vmkernel", + "channel": "VMCI syslog entries" + }, + { + "name": "esxi:vob", + "channel": "NFS/remote access logs" + }, + { + "name": "etw:Microsoft-Windows-NDIS-PacketCapture", + "channel": "TLS Handshake/Network Flow" + }, + { + "name": "etw:Microsoft-Windows-WinINet", + "channel": "HTTPS Inspection" + }, + { + "name": "etw:Microsoft-Windows-WinINet", + "channel": "WinINet API telemetry" + }, + { + "name": "gcp:audit", + "channel": "network.query*" + }, + { + "name": "gcp:vpcflow", + "channel": "first 5m egress to unknown ASNs" + }, + { + "name": "IDS:TLSInspection", + "channel": "Malformed certs, incomplete asymmetric handshakes, or invalid CAs" + }, + { + "name": "iOS:unifiedlog", + "channel": "Per-app VPN flow logging indicating opaque/archived payload transfer preceding local decode" + }, + { + "name": "iOS:unifiedlog", + "channel": "Per-App VPN flow with code-like content types (application/octet-stream, application/zip, text/javascript, application/x-mach-o)" + }, + { + "name": "iOS:unifiedlog", + "channel": "WKWebView navigation to domain visually similar to target brand (IDN/punycode/alike score)" + }, + { + "name": "linux:syslog", + "channel": "Query to suspicious domain with high entropy or low reputation" + }, + { + "name": "linux:syslog", + "channel": "curl|wget|python .*http" + }, + { + "name": "linux:syslog", + "channel": "Unexpected SQL or application log entries showing tampered or malformed data" + }, + { + "name": "linux:syslog", + "channel": "Integrity mismatch warnings or malformed packets detected" + }, + { + "name": "linux:syslog", + "channel": "DNS response IPs followed by connections to non-standard calculated ports" + }, + { + "name": "linux:syslog", + "channel": "Multiple NXDOMAIN responses and high entropy domains" + }, + { + "name": "m365:office", + "channel": "External HTTP/DNS connection from Office binary shortly after macro trigger" + }, + { + "name": "macos:unifiedlog", + "channel": "process + network metrics correlation for bandwidth saturation" + }, + { + "name": "macos:unifiedlog", + "channel": "DNS query with pseudo-random subdomain patterns" + }, + { + "name": "macos:unifiedlog", + "channel": "network flow" + }, + { + "name": "macos:unifiedlog", + "channel": "curl|osascript.*open location" + }, + { + "name": "macos:unifiedlog", + "channel": "subsystem: com.apple.network" + }, + { + "name": "macos:unifiedlog", + "channel": "open URL|clicked link|LSQuarantineAttach" + }, + { + "name": "macos:unifiedlog", + "channel": "None" + }, + { + "name": "macos:unifiedlog", + "channel": "Connections to suspicious domains with mismatched certificate or unusual patterns" + }, + { + "name": "macos:unifiedlog", + "channel": "HTTP POST with encoded content in user-agent or cookie field" + }, + { + "name": "macos:unifiedlog", + "channel": "Suspicious outbound HTTPS requests to domains flagged as newly registered or untrusted after spearphishing message interaction" + }, + { + "name": "macos:unifiedlog", + "channel": "log stream (subsystem: com.apple.system.networking)" + }, + { + "name": "macos:unifiedlog", + "channel": "Encrypted connection with anomalous payload entropy" + }, + { + "name": "macos:unifiedlog", + "channel": "Rapid incoming TLS handshakes or HTTP requests in quick succession" + }, + { + "name": "macos:unifiedlog", + "channel": "network, socket, and http logs" + }, + { + "name": "macos:unifiedlog", + "channel": "DNS responses followed by connections to ports outside standard ranges" + }, + { + "name": "macos:unifiedlog", + "channel": "Persistent outbound traffic to mining domains" + }, + { + "name": "macos:unifiedlog", + "channel": "Encrypted session initiation by unexpected binary" + }, + { + "name": "macos:unifiedlog", + "channel": "eventMessage = 'promiscuous'" + }, + { + "name": "macos:unifiedlog", + "channel": "outbound HTTPS connections to code repository APIs" + }, + { + "name": "macos:unifiedlog", + "channel": "eventMessage = 'open', 'sendto', 'connect'" + }, + { + "name": "macos:unifiedlog", + "channel": "dns-sd, mDNSResponder, socket activity" + }, + { + "name": "macos:unifiedlog", + "channel": "process + network activity" + }, + { + "name": "macos:unifiedlog", + "channel": "subsystem=com.apple.WebKit" + }, + { + "name": "macos:unifiedlog", + "channel": "subsystem: com.apple.WebKit or com.apple.WebKit.Networking" + }, + { + "name": "macos:unifiedlog", + "channel": "encrypted outbound traffic carrying unexpected application data" + }, + { + "name": "macos:unifiedlog", + "channel": "Persistent outbound connections with consistent periodicity" + }, + { + "name": "macos:unifiedlog", + "channel": "TLS connections with abnormal handshake sequence or self-signed cert" + }, + { + "name": "macos:unifiedlog", + "channel": "Web server process initiating outbound TCP connections not tied to normal server traffic" + }, + { + "name": "macos:unifiedlog", + "channel": "outbound TLS connections to cloud storage providers" + }, + { + "name": "macos:unifiedlog", + "channel": "outbound HTTPS connections to cloud storage APIs" + }, + { + "name": "macos:unifiedlog", + "channel": "process, network" + }, + { + "name": "macos:unifiedlog", + "channel": "process = 'ssh' OR eventMessage CONTAINS 'ssh'" + }, + { + "name": "Netfilter/iptables", + "channel": "Forwarded packets log" + }, + { + "name": "Network Traffic", + "channel": "None" + }, + { + "name": "networkconfig ", + "channel": "interface flag PROMISC, netstat | ip link | ethtool" + }, + { + "name": "networkdevice:config", + "channel": "NAT table modification (add/update/delete rule)" + }, + { + "name": "networkdevice:IDS", + "channel": "content inspection / PCAP / HTTP body" + }, + { + "name": "networkdevice:syslog", + "channel": "ACL/Firewall rule modification or new route injection" + }, + { + "name": "networkdevice:syslog", + "channel": "config change (e.g., logging buffered, pcap buffers)" + }, + { + "name": "networkdevice:syslog", + "channel": "Authentication failures, unexpected community string usage, or unauthorized SNMPv1/v2 requests" + }, + { + "name": "networkdevice:syslog", + "channel": "Authentication failures or unusual community string usage in SNMP queries" + }, + { + "name": "NSM:Connections", + "channel": "Symmetric encryption detected without TLS handshake sequence" + }, + { + "name": "NSM:Connections", + "channel": "TLS handshake + HTTP headers" + }, + { + "name": "NSM:Connections", + "channel": "Abnormal certificate chains or non-standard ports carrying TLS" + }, + { + "name": "NSM:Connections", + "channel": "Unusual POST requests to admin or upload endpoints" + }, + { + "name": "NSM:Connections", + "channel": "Outbound connections to internal enterprise services exhibiting anomalous protocol behavior, malformed sessions, or exploit-consistent traffic patterns" + }, + { + "name": "NSM:Content", + "channel": "SSL Certificate Metadata" + }, + { + "name": "NSM:Content", + "channel": "HTTP Header Metadata" + }, + { + "name": "NSM:Content", + "channel": "TLS Fingerprint and Certificate Analysis" + }, + { + "name": "NSM:Content", + "channel": "Traffic on RPC DRSUAPI" + }, + { + "name": "NSM:Firewall", + "channel": "TLS/HTTP inspection" + }, + { + "name": "NSM:Firewall", + "channel": "High rate of inbound TCP SYN or ACK packets with missing 3-way handshake completion" + }, + { + "name": "NSM:Firewall", + "channel": "Anomalous TCP SYN or ACK spikes from specific source or interface" + }, + { + "name": "NSM:Firewall", + "channel": "Outbound encrypted traffic" + }, + { + "name": "NSM:Firewall", + "channel": "ICMP/UDP protocol anomaly" }, { "name": "NSM:Flow", @@ -56,14 +444,6 @@ "name": "NSM:Flow", "channel": "mqtt.log, xmpp.log, amqp.log" }, - { - "name": "networkdevice:syslog", - "channel": "ACL/Firewall rule modification or new route injection" - }, - { - "name": "m365:office", - "channel": "External HTTP/DNS connection from Office binary shortly after macro trigger" - }, { "name": "NSM:Flow", "channel": "TCP/UDP" @@ -80,10 +460,6 @@ "name": "NSM:Flow", "channel": "session behavior" }, - { - "name": "esxi:vmkernel", - "channel": "Network activity" - }, { "name": "NSM:Flow", "channel": "External C2 channel over TLS" @@ -120,34 +496,10 @@ "name": "NSM:Flow", "channel": "http.log, ssl.log, websocket.log" }, - { - "name": "macos:unifiedlog", - "channel": "process + network metrics correlation for bandwidth saturation" - }, - { - "name": "docker:stats", - "channel": "unusual network TX/RX byte deltas" - }, - { - "name": "etw:Microsoft-Windows-WinINet", - "channel": "HTTPS Inspection" - }, { "name": "NSM:Flow", "channel": "ssl.log" }, - { - "name": "linux:syslog", - "channel": "Query to suspicious domain with high entropy or low reputation" - }, - { - "name": "macos:unifiedlog", - "channel": "DNS query with pseudo-random subdomain patterns" - }, - { - "name": "azure:vpcflow", - "channel": "HTTP requests to 169.254.169.254 or Azure Metadata endpoints" - }, { "name": "NSM:Flow", "channel": "Browser connections to known C2 or dynamic DNS domains" @@ -160,42 +512,14 @@ "name": "NSM:Flow", "channel": "HTTP " }, - { - "name": "macos:unifiedlog", - "channel": "network flow" - }, - { - "name": "linux:syslog", - "channel": "curl|wget|python .*http" - }, - { - "name": "macos:unifiedlog", - "channel": "curl|osascript.*open location" - }, { "name": "NSM:Flow", "channel": "query: High-volume LDAP traffic with filters targeting groupPolicyContainer attributes" }, - { - "name": "etw:Microsoft-Windows-NDIS-PacketCapture", - "channel": "TLS Handshake/Network Flow" - }, { "name": "NSM:Flow", "channel": "HTTP/TLS Logs" }, - { - "name": "macos:unifiedlog", - "channel": "subsystem: com.apple.network" - }, - { - "name": "linux:syslog", - "channel": "Unexpected SQL or application log entries showing tampered or malformed data" - }, - { - "name": "EDR:hunting", - "channel": "Advanced Hunting: DeviceProcessEvents + DeviceNetworkEvents" - }, { "name": "NSM:Flow", "channel": "Suspicious URL patterns, uncommon TLDs, short-lived domains, URL shorteners; HTTP method GET/POST" @@ -204,10 +528,6 @@ "name": "NSM:Flow", "channel": "Suspicious URL patterns, uncommon TLDs, URL shorteners" }, - { - "name": "macos:unifiedlog", - "channel": "open URL|clicked link|LSQuarantineAttach" - }, { "name": "NSM:Flow", "channel": "Suspicious GET/POST; downloader patterns" @@ -220,26 +540,10 @@ "name": "NSM:Flow", "channel": "remote login and transfer" }, - { - "name": "esxi:vob", - "channel": "NFS/remote access logs" - }, - { - "name": "AWS:VPCFlowLogs", - "channel": "Traffic between instances" - }, { "name": "NSM:Flow", "channel": "conn.log" }, - { - "name": "WinEventLog:System", - "channel": "EventCode=5005 (WLAN), EventCode=302 (Bluetooth)" - }, - { - "name": "macos:unifiedlog", - "channel": "None" - }, { "name": "NSM:Flow", "channel": "Suspicious long-lived or reattached remote desktop sessions from unexpected IPs" @@ -256,10 +560,6 @@ "name": "NSM:Flow", "channel": "Requests towards cloud metadata or command & control from pod IPs" }, - { - "name": "ALB:HTTPLogs", - "channel": "AWS ALB/ELB/GCP/Azure Application Gateway HTTP logs with unusual methods, long URIs, serialized payloads, 4xx/5xx bursts" - }, { "name": "NSM:Flow", "channel": "Connections to TCP 427 (SLP) or vCenter web services from untrusted sources" @@ -280,10 +580,6 @@ "name": "NSM:Flow", "channel": "SMB2_LOGOFF/SMB_TREE_DISCONNECT" }, - { - "name": "macos:unifiedlog", - "channel": "Connections to suspicious domains with mismatched certificate or unusual patterns" - }, { "name": "NSM:Flow", "channel": "Unusual Base64-encoded content in URI, headers, or POST body" @@ -292,18 +588,6 @@ "name": "NSM:Flow", "channel": "Base64 strings or gzip in URI, headers, or POST body" }, - { - "name": "macos:unifiedlog", - "channel": "HTTP POST with encoded content in user-agent or cookie field" - }, - { - "name": "esxi:vmkernel", - "channel": "Outbound traffic using encoded payloads post-login" - }, - { - "name": "macos:unifiedlog", - "channel": "Suspicious outbound HTTPS requests to domains flagged as newly registered or untrusted after spearphishing message interaction" - }, { "name": "NSM:Flow", "channel": "Inbound connections to 445, 3389, 5985-5986 with high error/connection-reset rate, followed by new outbound sessions from the same host to internal assets within short interval." @@ -340,10 +624,6 @@ "name": "NSM:Flow", "channel": "LDAP Query" }, - { - "name": "macos:unifiedlog", - "channel": "log stream (subsystem: com.apple.system.networking)" - }, { "name": "NSM:Flow", "channel": "smtp.log" @@ -356,18 +636,6 @@ "name": "NSM:Flow", "channel": "remote CLI session detection" }, - { - "name": "macos:unifiedlog", - "channel": "Encrypted connection with anomalous payload entropy" - }, - { - "name": "esxcli:network", - "channel": "Socket sessions with randomized payloads inconsistent with TLS" - }, - { - "name": "NSM:Connections", - "channel": "Symmetric encryption detected without TLS handshake sequence" - }, { "name": "NSM:Flow", "channel": "http.log, ftp.log" @@ -380,10 +648,6 @@ "name": "NSM:Flow", "channel": "large HTTPS POST requests to webhook endpoints" }, - { - "name": "esxi:vmkernel", - "channel": "HTTPS POST connections to webhook endpoints" - }, { "name": "NSM:Flow", "channel": "Single, low-volume inbound packet (REJ/S0/OTH or uncommon dport/protocol) from src_ip followed by outbound SF connection to src_ip." @@ -396,18 +660,10 @@ "name": "NSM:Flow", "channel": "Inbound one-off packet to uncommon port \u2192 outbound SF to same src_ip within TimeWindow." }, - { - "name": "networkdevice:config", - "channel": "NAT table modification (add/update/delete rule)" - }, { "name": "NSM:Flow", "channel": "large upload to firmware interface port or path" }, - { - "name": "macos:unifiedlog", - "channel": "Rapid incoming TLS handshakes or HTTP requests in quick succession" - }, { "name": "NSM:Flow", "channel": "http.request: HTTP requests and responses for specific script resources, unexpected content-types (application/octet-stream for script URLs), suspicious referrers, or obfuscated javascript resources" @@ -420,34 +676,14 @@ "name": "NSM:Flow", "channel": "HTTP/HTTPS requests for script resources flagged by content inspection (excessive obfuscation, eval usage, unusual redirects)" }, - { - "name": "NSM:Connections", - "channel": "TLS handshake + HTTP headers" - }, { "name": "NSM:Flow", "channel": "ssl.log + http.log" }, - { - "name": "macos:unifiedlog", - "channel": "network, socket, and http logs" - }, - { - "name": "NSM:Firewall", - "channel": "TLS/HTTP inspection" - }, { "name": "NSM:Flow", "channel": "http/file-xfer: Outbound transfer of large video-like MIME types soon after capture" }, - { - "name": "container:proxy", - "channel": "outbound/inbound network activity from spawned pods" - }, - { - "name": "esxcli:network", - "channel": "listening sockets bound to non-standard ports" - }, { "name": "NSM:Flow", "channel": "Outbound SCP, TFTP, or FTP sessions carrying configuration file content" @@ -468,10 +704,6 @@ "name": "NSM:Flow", "channel": "Transferred file observations" }, - { - "name": "apache:access_log", - "channel": "Unusual HTTP POST or PUT requests to paths such as '/uploads/', '/admin/', or CMS plugin folders" - }, { "name": "NSM:Flow", "channel": "http::post: Outbound HTTP POST from host shortly after DB export activity" @@ -492,50 +724,14 @@ "name": "NSM:Flow", "channel": "New VM egress to crypto-mining pools or non-approved Internet ranges within minutes of boot" }, - { - "name": "docker:events", - "channel": "remote API calls to /containers/create or /containers/{id}/start" - }, { "name": "NSM:Flow", "channel": "http::request: Network connection to package registry or C2 from interpreter shortly after install" }, - { - "name": "linux:syslog", - "channel": "Integrity mismatch warnings or malformed packets detected" - }, { "name": "NSM:Flow", "channel": "http::request: Outbound HTTP initiated by Python interpreter" }, - { - "name": "WinEventLog:Sysmon", - "channel": "Outbound requests with forged tokens/cookies in headers" - }, - { - "name": "linux:syslog", - "channel": "DNS response IPs followed by connections to non-standard calculated ports" - }, - { - "name": "macos:unifiedlog", - "channel": "DNS responses followed by connections to ports outside standard ranges" - }, - { - "name": "macos:unifiedlog", - "channel": "Persistent outbound traffic to mining domains" - }, - { - "name": "macos:unifiedlog", - "channel": "Encrypted session initiation by unexpected binary" - }, - { - "name": "esxi:vmkernel", - "channel": "Inspection of sockets showing encrypted sessions from non-baseline processes" - }, - { - "name": "NSM:Connections", - "channel": "Abnormal certificate chains or non-standard ports carrying TLS" - }, { "name": "NSM:Flow", "channel": "DrsAddEntry, DrsReplicaAdd, GetNCChanges calls between non-DC and DCs." @@ -544,10 +740,6 @@ "name": "NSM:Flow", "channel": "large HTTPS POST requests to text storage domains" }, - { - "name": "esxi:vmkernel", - "channel": "HTTPS POST connections to pastebin-like domains" - }, { "name": "NSM:Flow", "channel": "Unexpected ARP replies or DNS responses inconsistent with authoritative servers" @@ -560,38 +752,6 @@ "name": "NSM:Flow", "channel": "Unusual request pattern leading up to service crash (e.g., malformed or oversized payload)" }, - { - "name": "AWS:VPCFlowLogs", - "channel": "Large volume of malformed or synthetic payloads to application endpoints prior to failure" - }, - { - "name": "networkconfig ", - "channel": "interface flag PROMISC, netstat | ip link | ethtool" - }, - { - "name": "macos:unifiedlog", - "channel": "eventMessage = 'promiscuous'" - }, - { - "name": "networkdevice:syslog", - "channel": "config change (e.g., logging buffered, pcap buffers)" - }, - { - "name": "macos:unifiedlog", - "channel": "outbound HTTPS connections to code repository APIs" - }, - { - "name": "azure:activity", - "channel": "networkInsightsLogs" - }, - { - "name": "gcp:audit", - "channel": "network.query*" - }, - { - "name": "WinEventLog:Microsoft-Windows-Windows Defender/Operational", - "channel": "Unusual external domain access" - }, { "name": "NSM:Flow", "channel": "conn.log or http.log" @@ -632,18 +792,10 @@ "name": "NSM:Flow", "channel": "conn.log + files.log + ssl.log" }, - { - "name": "macos:unifiedlog", - "channel": "eventMessage = 'open', 'sendto', 'connect'" - }, { "name": "NSM:Flow", "channel": "HTTPS or custom protocol traffic with large payloads" }, - { - "name": "esxi:vmkernel", - "channel": "network stack module logs" - }, { "name": "NSM:Flow", "channel": "Unexpected script or binary content returned in HTTP response body" @@ -656,50 +808,18 @@ "name": "NSM:Flow", "channel": "Content injection observed in HTTPS responses with mismatched certificates or altered payloads" }, - { - "name": "NSM:Firewall", - "channel": "High rate of inbound TCP SYN or ACK packets with missing 3-way handshake completion" - }, - { - "name": "NSM:Firewall", - "channel": "Anomalous TCP SYN or ACK spikes from specific source or interface" - }, - { - "name": "saas:confluence", - "channel": "REST API access from non-browser agents" - }, - { - "name": "Netfilter/iptables", - "channel": "Forwarded packets log" - }, { "name": "NSM:Flow", "channel": "Relay patterns across IP hops" }, - { - "name": "NSM:Firewall", - "channel": "Outbound encrypted traffic" - }, { "name": "NSM:Flow", "channel": "ldap.log" }, - { - "name": "macos:unifiedlog", - "channel": "dns-sd, mDNSResponder, socket activity" - }, - { - "name": "networkdevice:IDS", - "channel": "content inspection / PCAP / HTTP body" - }, { "name": "NSM:Flow", "channel": "Probe responses from unauthorized APs responding to client probe requests" }, - { - "name": "auditd:SYSCALL", - "channel": "setsockopt, ioctl modifying ARP entries" - }, { "name": "NSM:Flow", "channel": "Excessive gratuitous ARP replies on local subnet" @@ -724,10 +844,6 @@ "name": "NSM:Flow", "channel": "Encrypted tunnels or proxy traffic to non-standard destinations" }, - { - "name": "esxi:vmkernel", - "channel": "Suspicious traffic filtered or redirected by VM networking stack" - }, { "name": "NSM:Flow", "channel": "large transfer from management IPs to unauthorized host" @@ -752,10 +868,6 @@ "name": "NSM:Flow", "channel": "ftp.log, conn.log, smb_files.log" }, - { - "name": "linux:syslog", - "channel": "Multiple NXDOMAIN responses and high entropy domains" - }, { "name": "NSM:Flow", "channel": "SSL/TLS Inspection or PCAP" @@ -764,10 +876,6 @@ "name": "NSM:Flow", "channel": "conn.log, ssl.log" }, - { - "name": "macos:unifiedlog", - "channel": "process + network activity" - }, { "name": "NSM:Flow", "channel": "http, dns, smb, ssl logs" @@ -780,10 +888,6 @@ "name": "NSM:Flow", "channel": "conn.log, http.log, dns.log, ssl.log" }, - { - "name": "networkdevice:syslog", - "channel": "Authentication failures, unexpected community string usage, or unauthorized SNMPv1/v2 requests" - }, { "name": "NSM:Flow", "channel": "ICMP/UDP traffic (Wireshark, Suricata, Zeek)" @@ -796,14 +900,6 @@ "name": "NSM:Flow", "channel": "ICMP/UDP monitoring (tcpdump, Wireshark, Zeek)" }, - { - "name": "esxi:vmkernel", - "channel": "VMCI syslog entries" - }, - { - "name": "NSM:Firewall", - "channel": "ICMP/UDP protocol anomaly" - }, { "name": "NSM:Flow", "channel": "Unusual responses to LLMNR (UDP 5355) or NBT-NS (UDP 137) queries from unauthorized hosts" @@ -828,42 +924,14 @@ "name": "NSM:Flow", "channel": "Network Capture TLS/HTTP" }, - { - "name": "NSM:Content", - "channel": "SSL Certificate Metadata" - }, - { - "name": "NSM:Content", - "channel": "HTTP Header Metadata" - }, - { - "name": "NSM:Content", - "channel": "TLS Fingerprint and Certificate Analysis" - }, { "name": "NSM:Flow", "channel": "container egress to unknown IPs/domains" }, - { - "name": "gcp:vpcflow", - "channel": "first 5m egress to unknown ASNs" - }, { "name": "NSM:Flow", "channel": "HTTP Request Logging" }, - { - "name": "WinEventLog:iis", - "channel": "IIS Logs" - }, - { - "name": "macos:unifiedlog", - "channel": "subsystem=com.apple.WebKit" - }, - { - "name": "AWS:VPCFlowLogs", - "channel": "Unusual volume of data transferred from S3 storage endpoints to non-corporate IPs" - }, { "name": "NSM:Flow", "channel": "ssh connections originating from third-party CIDRs" @@ -888,10 +956,6 @@ "name": "NSM:Flow", "channel": "Outbound HTTP/S" }, - { - "name": "macos:unifiedlog", - "channel": "subsystem: com.apple.WebKit or com.apple.WebKit.Networking" - }, { "name": "NSM:Flow", "channel": "ssl.log - Certificate Analysis" @@ -909,84 +973,180 @@ "channel": "Packets with unusual flags or payloads outside established flows (e.g., WoL magic FF\u00d76 + 16\u00d7MAC)" }, { - "name": "WIDS:AssociationLogs", - "channel": "Unauthorized AP or anomalous MAC address connection attempts" + "name": "NSM:Flow", + "channel": "Suspicious POSTs to upload endpoints" }, { - "name": "macos:unifiedlog", - "channel": "encrypted outbound traffic carrying unexpected application data" + "name": "NSM:Flow", + "channel": "TLS/HTTP download with atypical MIME (application/octet-stream, application/x-zip, application/x-gzip) followed by local decode/write" }, { - "name": "esxcli:network", - "channel": "listening sockets bound with non-standard encapsulated protocols" + "name": "NSM:Flow", + "channel": "HTTP(S)/QUIC media download with opaque content types (image/*, audio/*, video/*) from non-gallery domains or CDNs not previously used by the app" }, { - "name": "macos:unifiedlog", - "channel": "Persistent outbound connections with consistent periodicity" + "name": "NSM:Flow", + "channel": "HTTP(S)/QUIC download of executable/opaque content (application/octet-stream, application/zip, application/java-archive, application/x-dex, application/x-sharedlib, text/javascript)" }, { - "name": "macos:unifiedlog", - "channel": "TLS connections with abnormal handshake sequence or self-signed cert" + "name": "NSM:Flow", + "channel": "burst of DNS queries/connection attempts to RFC1918 or local gateway immediately after scans" }, { - "name": "esxcli:network", - "channel": "Socket inspection showing RSA key exchange outside baseline endpoints" + "name": "NSM:Flow", + "channel": "HTTPS sessions exhibiting periodic request cadence or structured payload exchanges inconsistent with application baseline" }, { - "name": "IDS:TLSInspection", - "channel": "Malformed certs, incomplete asymmetric handshakes, or invalid CAs" + "name": "NSM:Flow", + "channel": "Application-layer indicators observable via enterprise network controls (HTTP method, URI path pattern class, TLS SNI, JA3/ALPN when available, DNS qname/type) showing anomalous or low-and-slow command polling behavior" }, { - "name": "macos:unifiedlog", - "channel": "Web server process initiating outbound TCP connections not tied to normal server traffic" + "name": "NSM:Flow", + "channel": "Near-term increase in traffic to identity endpoints associated with SMS MFA, account recovery, or OTP verification (IdP, banking, crypto), correlated to SIM/service loss" }, { - "name": "macos:unifiedlog", - "channel": "outbound TLS connections to cloud storage providers" + "name": "NSM:Flow", + "channel": "Abrupt shift from cellular egress to Wi-Fi-only egress, or new VPN/proxy session establishment following cellular service loss" + }, + { + "name": "NSM:Flow", + "channel": "Application-layer web traffic showing suspicious redirect chains, iframe/ad-tech cascades, user-agent or environment fingerprinting requests, or staged payload retrieval after page visit" + }, + { + "name": "NSM:Flow", + "channel": "Application initiates HTTPS connection with repeated certificate validation failure under enterprise proxy followed by direct network retry or stable opaque TLS communication to same endpoint within correlation window" + }, + { + "name": "NSM:Flow", + "channel": "App-destination pair shows consistent inspection bypass/refusal pattern followed by direct encrypted communication or repeated short-lived TLS sessions to same endpoint within correlation window" + }, + { + "name": "NSM:Flow", + "channel": "Application retrieves remote content from non-baselined domain or IP and the transfer direction is inbound to device during the file acquisition phase" + }, + { + "name": "NSM:Flow", + "channel": "Managed iOS app retrieves remote content from non-baselined domain or IP with inbound payload transfer during the acquisition phase" + }, + { + "name": "NSM:Flow", + "channel": "Device shows correlated inbound session establishment followed by outbound connections to separate external destinations with overlapping timing and relay-like byte symmetry" + }, + { + "name": "NSM:Flow", + "channel": "Traffic spike preceding control crash" + }, + { + "name": "NSM:Inspection", + "channel": "TLS session from mobile app fails, resets, or refuses enterprise interception while same destination/app pair repeatedly establishes direct encrypted communication pattern consistent with pinned certificate/public-key validation" + }, + { + "name": "NSM:Inspection", + "channel": "TLS handshake from iOS app repeatedly fails or is rejected only when enterprise SSL inspection certificate is presented, indicating certificate or public-key pin validation effect" }, { "name": "saas:box", "channel": "API calls exceeding baseline thresholds" }, { - "name": "macos:unifiedlog", - "channel": "outbound HTTPS connections to cloud storage APIs" + "name": "saas:confluence", + "channel": "REST API access from non-browser agents" }, { - "name": "AWS:VPCFlowLogs", - "channel": "High volume internal-to-internal IP transfer or cross-account cloud transfer" + "name": "TelecomLogs:SS7Signaling", + "channel": "Subscriber information queries, routing requests, or location update messages with anomalous node identifiers or unexpected origin patterns" }, { - "name": "etw:Microsoft-Windows-WinINet", - "channel": "WinINet API telemetry" + "name": "TelecomLogs:SS7Signaling", + "channel": "Location resolution, routing, or subscriber information exchanges with anomalous signaling paths or node identities" }, { - "name": "macos:unifiedlog", - "channel": "process, network" + "name": "VPN:MobileProxy", + "channel": "Supervised or newly activated device initiates outbound connections to destinations outside Apple, MDM, update, or enterprise-managed baselines while locked, with no recent user interaction, or before expected app enrollment completion" }, { - "name": "NSM:Connections", - "channel": "Unusual POST requests to admin or upload endpoints" + "name": "VPN:MobileProxy", + "channel": "Application or device component communicates with legitimate external web-service infrastructure such as cloud storage, social media, messaging, collaboration, paste, code-hosting, CDN-backed API, or generic HTTPS service in a pattern inconsistent with the app's approved network baseline, timing, or service class" }, { - "name": "NSM:Flow", - "channel": "Suspicious POSTs to upload endpoints" + "name": "VPN:MobileProxy", + "channel": "Supervised device or managed app communicates with legitimate external web-service infrastructure such as cloud storage, messaging, collaboration, social, paste, or generic HTTPS API platforms in a pattern inconsistent with expected service baseline, managed app role, or normal background refresh behavior" }, { - "name": "networkdevice:syslog", - "channel": "Authentication failures or unusual community string usage in SNMP queries" + "name": "VPN:MobileProxy", + "channel": "App-attributed HTTP GET or HTTPS session to public web platform (social, paste, collaboration, cloud storage, code-hosting) returned content followed by outbound connection to a different domain or IP within TimeWindow" }, { - "name": "API:ConfigRepoAudit", - "channel": "Access to configuration repository endpoints, unusual enumeration requests or mass downloads" + "name": "VPN:MobileProxy", + "channel": "DNS query or TLS SNI for previously unseen domain occurred within TimeWindow after session to legitimate web-service domain from same app identity" }, { - "name": "NSM:Content", - "channel": "Traffic on RPC DRSUAPI" + "name": "VPN:MobileProxy", + "channel": "Initial session to public web-service domain transferred small response payload followed by connection to new external endpoint with different ASN or domain category" }, { - "name": "macos:unifiedlog", - "channel": "process = 'ssh' OR eventMessage CONTAINS 'ssh'" + "name": "VPN:MobileProxy", + "channel": "App-attributed session to public web-service domain included inbound content retrieval followed by outbound POST, PUT, upload, comment, message send, document update, or API write to same service class within TimeWindow" + }, + { + "name": "VPN:MobileProxy", + "channel": "Repeated alternating inbound and outbound sessions to same public web-service domain or API endpoint occurred from same app identity with stable recurrence interval" + }, + { + "name": "VPN:MobileProxy", + "channel": "Outbound write operation to public web-service domain occurred after small inbound response retrieval from same domain or service class without preceding user-visible foreground activity" + }, + { + "name": "VPN:MobileProxy", + "channel": "App-attributed HTTP GET, content fetch, sync pull, or inbound-oriented HTTPS session to public web-service domain recurred within TimeWindow without app-attributed POST, PUT, PATCH, upload, comment, message send, or API write to same service class" + }, + { + "name": "VPN:MobileProxy", + "channel": "Repeated app-attributed retrieval from same public web-service domain or API endpoint occurred at stable recurrence interval with low outbound volume relative to inbound content" + }, + { + "name": "VPN:MobileProxy", + "channel": "Inbound content retrieval from public web-service domain occurred without subsequent writeback to same service class and was followed by local or downstream activity outside normal app sync profile" + }, + { + "name": "VPN:MobileProxy", + "channel": "TLS handshake, HTTP method/header pattern, or WebSocket upgrade was observed on destination port outside approved port set for detected protocol during app-attributed outbound session" + }, + { + "name": "VPN:MobileProxy", + "channel": "Repeated app-attributed sessions to same destination or service class used non-standard destination port with stable recurrence interval or persistent connection behavior" + }, + { + "name": "VPN:MobileProxy", + "channel": "Destination port was not in approved protocol-to-port mapping for app identity or service class and session did not match known enterprise proxy, relay, or developer tooling exception" + }, + { + "name": "VPN:MobileProxy", + "channel": "Observed protocol-to-port pairing was outside approved mapping for managed bundle or service class and did not match enterprise proxy, relay, or developer tooling exception" + }, + { + "name": "WebProxy:AccessLogs", + "channel": "SSRF-like patterns accessing metadata endpoint through proxy (e.g., Host: 169.254.169.254)" + }, + { + "name": "WIDS:AssociationLogs", + "channel": "Unauthorized AP or anomalous MAC address connection attempts" + }, + { + "name": "WinEventLog:iis", + "channel": "IIS Logs" + }, + { + "name": "WinEventLog:Microsoft-Windows-Windows Defender/Operational", + "channel": "Unusual external domain access" + }, + { + "name": "WinEventLog:Sysmon", + "channel": "Outbound requests with forged tokens/cookies in headers" + }, + { + "name": "WinEventLog:System", + "channel": "EventCode=5005 (WLAN), EventCode=302 (Bluetooth)" } ] } diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b.json index 2d052916d7..251a6d79f3 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ee95aa49-3173-4691-bc75-47e897bd211d", + "id": "bundle--0d6caf4b-7bd8-4776-9340-dc40849fdbd3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json index 7d5c9df1b2..2c02134924 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3ec0c4a5-ea53-4363-848d-680b58e1f292", + "id": "bundle--4f237b15-d299-402a-9dde-a9dfff4b250a", "spec_version": "2.0", "objects": [ { @@ -12,17 +12,16 @@ "external_references": [ { "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datacomponents/DC0032", + "url": "https://attack.mitre.org/data-components/DC0032", "external_id": "DC0032" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-13T15:49:16.424Z", "name": "Process Creation", "description": "Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts.. ", - "x_mitre_data_source_ref": "", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ @@ -30,7 +29,7 @@ "mobile-attack", "enterprise-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { @@ -1312,6 +1311,58 @@ { "name": "macos:unifiedlog", "channel": "security OR injection attempts into 1Password OR LastPass" + }, + { + "name": "AndroidLogs:Kernel", + "channel": "init or zygote process executing scripts or binaries from non-standard data or sdcard locations during early boot" + }, + { + "name": "iOS:unifiedlog", + "channel": "launchd invocation of binary from non-Apple, non-AppStore, or sideloaded location during boot or shortly after unlock" + }, + { + "name": "AndroidLogs:Framework", + "channel": "Creation of a new process running as system or root UID whose executable path resides under an app container path (for example, /data/app or /data/user/0/), or whose parent process originates from an app sandbox" + }, + { + "name": "iOS:unifiedlog", + "channel": "Creation of a new process with elevated UID or sensitive entitlements whose binary path is associated with an app container or whose parent/caller is a low-privileged app/webcontent process" + }, + { + "name": "android:logcat", + "channel": "dlopen of a recently created .so OR short-lived child (/system/bin/sh,toybox,linker) spawned by app_process" + }, + { + "name": "android:logcat", + "channel": "startActivity on top of (launchMode/singleTop), task switch immediately after focus" + }, + { + "name": "android:logcat", + "channel": "unexpected spikes in fork/exec/app process start events for helper utilities used for enumeration (ps, toybox/toolbox variants) from same UID" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application writes audio buffer or recorded audio file into application storage directories" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Browser or WebView-hosting application brought to foreground and navigates to external content, followed by abnormal state transition, crash, restart, or process spawn behavior" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application installed from adb, sideload, or unknown USB source" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application invokes Runtime.exec, ProcessBuilder, JNI-backed command launcher, or equivalent command-execution bridge immediately before shell or command process creation" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Managed app invokes lower-level OS process-launch or command-execution behavior before file or network effects, including interpreter-like execution flow where visible to sensor" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application execution triggered with unexpected parent context or via indirect invocation (intent redirection or component hijack)" } ] } diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f.json index acb448c824..c98a5d3ccb 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d7c16bbc-9aec-4fe6-b437-82ed77a5c2df", + "id": "bundle--76811394-9b05-4c40-b703-062214136bb0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e.json index ebea7b7ec1..c5f63d1b18 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6f1b7312-194f-4f01-b1ed-953b18c846c3", + "id": "bundle--d0ab572b-8a49-442d-a482-853c2fa80474", "spec_version": "2.0", "objects": [ { @@ -8,6 +8,7 @@ "id": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", "created": "2022-05-11T16:22:58.802Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -18,7 +19,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T15:10:28.402Z", + "modified": "2026-04-22T15:07:16.930Z", "name": "Process/Event Alarm", "description": "This includes a list of any process alarms or alerts produced to indicate unusual or concerning activity within the operational process (e.g., increased temperature/pressure)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -26,9 +27,13 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ + { + "name": "Databases", + "channel": "None" + }, { "name": "Operational Databases", "channel": "None" diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08.json index 7cd9d9e80e..35af81928d 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--71d846b3-e017-47c7-a54a-6c0a6c25cb0e", + "id": "bundle--05190c56-d41a-46e5-b524-9962733ed51a", "spec_version": "2.0", "objects": [ { @@ -22,7 +22,6 @@ "modified": "2025-11-12T22:03:39.105Z", "name": "Drive Modification", "description": "The alteration of a drive letter, mount point, or other attributes of a data storage device, which could involve reassignment, renaming, permissions changes, or other modifications. Examples: \n\n- Drive Letter Reassignment: A USB drive previously assigned `E:\\` is reassigned to `D:\\` on a Windows machine.\n- Mount Point Change: On a Linux system, a mounted storage device at `/mnt/external` is moved to `/mnt/storage`.\n- Drive Permission Changes: A shared drive's permissions are modified to allow write access for unauthorized users or processes.\n- Renaming of a Drive: A network drive labeled \"HR_Share\" is renamed to \"Shared_Resources.\"\n- Modification of Cloud-Integrated Drives: A cloud storage mount such as Google Drive is modified to sync only specific folders.\n\nThis data component can be collected through the following measures:\n\nWindows Event Logs\n\n- Relevant Events:\n - Event ID 98: Indicates changes to a volume (e.g., drive letter reassignment).\n - Event ID 1006: Logs permission modifications or changes to removable storage.\n- Configuration: Enable \"Storage Operational Logs\" in the Event Viewer:\n`Applications and Services Logs > Microsoft > Windows > Storage-Tiering > Operational`\n\nLinux System Logs\n\n- Auditd Configuration: Add audit rules to track changes to mounted drives: `auditctl -w /mnt/ -p w -k drive_modification`\n- Command-Line Monitoring: Use `dmesg` or `journalctl` to observe drive modifications.\n\nmacOS System Logs\n\n- Unified Logs: Collect mount or drive modification events: `log show --info | grep \"Volume modified\"`\n- Command-Line Monitoring: Use `diskutil` to track changes:\n\nEndpoint Detection and Response (EDR) Tools\n\n- Configure policies in EDR solutions to monitor and log changes to drive configurations or attributes.\n\nSIEM Tools\n\n- Aggregate logs from multiple systems into a centralized platform like Splunk to correlate events and alert on suspicious drive modification activities.\n", - "x_mitre_data_source_ref": "", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705.json index d4d36f6958..0dc4df4997 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--509e8691-fc38-45f0-af12-ff9c7bbfdb8e", + "id": "bundle--ca777fe1-2856-4d48-a98e-f00f18a654ca", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json index 53529ff68c..7c65485b07 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--485be29f-8ca1-4096-aa07-9379b817e6dc", + "id": "bundle--178a1ac6-310f-4ee4-9206-cad93e20abf9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5.json index 61f025edb6..a4bec46de1 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--35997b4e-9cbb-43fb-af1d-04e1acdf20b5", + "id": "bundle--4938eb50-8b44-4453-a234-5fc35a223eb0", "spec_version": "2.0", "objects": [ { @@ -19,38 +19,235 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-23T18:33:47.956Z", "name": "File Metadata", "description": "contextual information about a file, including attributes such as the file's name, size, type, content (e.g., signatures, headers, media), user/owner, permissions, timestamps, and other related properties. File metadata provides insights into a file's characteristics and can be used to detect malicious activity, unauthorized modifications, or other anomalies. Examples: \n\n- File Ownership and Permissions: Checking the owner and permissions of a critical configuration file like /etc/passwd on Linux or C:\\Windows\\System32\\config\\SAM on Windows.\n- Timestamps: Analyzing the creation, modification, and access timestamps of a file.\n- File Content and Signatures: Extracting the headers of an executable file to verify its signature or detect packing/obfuscation.\n- File Attributes: Analyzing attributes like hidden, system, or read-only flags in Windows.\n- File Hashes: Generating MD5, SHA-1, or SHA-256 hashes of files to compare against threat intelligence feeds.\n- File Location: Monitoring files located in unusual directories or paths, such as temporary or user folders.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", - "enterprise-attack" + "enterprise-attack", + "mobile-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ + { + "name": "auditd:SYSCALL", + "channel": "stat and lstat syscall results on files, including inode and permission info" + }, + { + "name": "AndroidLogs:Framework", + "channel": "BroadcastReceiver registration for android.intent.action.BOOT_COMPLETED by previously unseen or recently installed apps" + }, + { + "name": "auditd:CONFIG_CHANGE", + "channel": "chmod or chown of hook files indicating privilege escalation or execution permission change" + }, + { + "name": "auditd:PATH", + "channel": "file path matches exclusion directories" + }, + { + "name": "auditd:PATH", + "channel": "PATH" + }, + { + "name": "auditd:PATH", + "channel": "file path modifications on critical system directories (/etc, /usr/bin, /usr/sbin, /var, /opt)" + }, + { + "name": "auditd:SYSCALL", + "channel": "Inotify watch creation or auditctl changes on /etc/cron* or /lib/systemd/system/" + }, + { + "name": "auditd:SYSCALL", + "channel": "PATH" + }, + { + "name": "auditd:SYSCALL", + "channel": "file write after sleep delay" + }, + { + "name": "auditd:SYSCALL", + "channel": "syscall in (chmod, fchmod, fchmodat, chown, fchown, fchownat, setxattr, lsetxattr, fsetxattr)" + }, + { + "name": "auditd:SYSCALL", + "channel": "setuid or setgid bit changes" + }, + { + "name": "auditd:SYSCALL", + "channel": "syscall in (chmod, fchmod, fchmodat, chown, fchown, fchownat, lchown, setxattr, lsetxattr, fsetxattr, removexattr, lremovexattr, fremovexattr)" + }, + { + "name": "auditd:SYSCALL", + "channel": "setxattr or getxattr system call" + }, + { + "name": "auditd:SYSCALL", + "channel": "chmod, chown, setxattr, or file writes to /etc/ssl/* or /usr/local/share/ca-certificates/*" + }, + { + "name": "ebpf:syscalls", + "channel": "Unexpected container volume unmount + file deletion" + }, + { + "name": "EDR:detection", + "channel": "App reputation telemetry" + }, + { + "name": "EDR:file", + "channel": "File Metadata Inspection (Low String Entropy, Missing PDB)" + }, + { + "name": "EDR:file", + "channel": "File Metadata Analysis (PE overlays, entropy)" + }, + { + "name": "esxi:hostd", + "channel": "host daemon events related to file or VM permission changes" + }, + { + "name": "esxi:syslog", + "channel": "Datastore file hidden or renamed unexpectedly" + }, + { + "name": "esxi:vmkernel", + "channel": "Upload of file to datastore" + }, + { + "name": "esxi:vmkernel", + "channel": "Storage access and file ops" + }, + { + "name": "esxi:vmkernel", + "channel": "VMware kernel events for file system permission modifications" + }, + { + "name": "esxi:vmkernel", + "channel": "Datastore modification events" + }, { "name": "File", "channel": "None" }, { - "name": "linux:osquery", - "channel": "event-based" + "name": "fs:fileevents", + "channel": "/var/log/install.log" }, { - "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational", - "channel": "Invalid/Unsigned image when developer tool launches newly installed binaries" + "name": "fs:filesystem", + "channel": "Binary file hash changes outside of update/patch cycles" + }, + { + "name": "fs:fsevents", + "channel": "file system events indicating permission or attribute changes" + }, + { + "name": "fs:fsusage", + "channel": "filesystem monitoring of exec/open" + }, + { + "name": "fwupd:logs", + "channel": "Firmware updates applied or failed" + }, + { + "name": "gatekeeper/quarantine database", + "channel": "LaunchServices quarantine" }, { "name": "journald:package", "channel": "dpkg/apt or yum/dnf transaction logs (install/update of build tools)" }, + { + "name": "journald:package", + "channel": "dpkg/apt/yum/dnf transaction logs; vendor updaters in systemd journals" + }, + { + "name": "journald:package", + "channel": "dpkg/apt install, remove, upgrade events" + }, + { + "name": "journald:package", + "channel": "yum/dnf install or update transactions" + }, + { + "name": "linux:osquery", + "channel": "event-based" + }, { "name": "linux:osquery", "channel": "file_events, hash" }, + { + "name": "linux:osquery", + "channel": "hash, elf_info, file_metadata" + }, + { + "name": "linux:osquery", + "channel": "file_events" + }, + { + "name": "linux:osquery", + "channel": "elf_info, hash, yara_matches" + }, + { + "name": "linux:osquery", + "channel": "Read headers and detect MIME type mismatch" + }, + { + "name": "linux:osquery", + "channel": "file_events.path" + }, + { + "name": "linux:osquery", + "channel": "Filesystem modifications to trusted paths" + }, + { + "name": "linux:osquery", + "channel": "Write or modify .desktop file in XDG autostart path" + }, + { + "name": "linux:osquery", + "channel": "hash, rpm_packages, deb_packages, file_events" + }, + { + "name": "linux:syslog", + "channel": "Discrepancies in _VBA_PROJECT p-code vs source code extracted with oletools/pcodedmp" + }, + { + "name": "linux:syslog", + "channel": "application or system execution logs" + }, + { + "name": "linux:syslog", + "channel": "file permission modification events in kernel messages" + }, + { + "name": "linux:syslog", + "channel": "kernel messages related to file system permission changes and security violations" + }, + { + "name": "macos:endpointsecurity", + "channel": "es_event_file_rename_t or es_event_file_write_t" + }, + { + "name": "macos:endpointsecurity", + "channel": "es_event_authentication" + }, + { + "name": "macos:osquery", + "channel": "code_signing, file_metadata" + }, + { + "name": "macos:osquery", + "channel": "file_events" + }, + { + "name": "macos:osquery", + "channel": "mach_o_info, file_metadata" + }, { "name": "macos:unifiedlog", "channel": "softwareupdated/homebrew/install logs, pkginstalld events" @@ -59,34 +256,10 @@ "name": "macos:unifiedlog", "channel": "AMFI or Gatekeeper signature/notarization failures for newly installed dev components" }, - { - "name": "auditd:SYSCALL", - "channel": "Inotify watch creation or auditctl changes on /etc/cron* or /lib/systemd/system/" - }, - { - "name": "linux:syslog", - "channel": "Discrepancies in _VBA_PROJECT p-code vs source code extracted with oletools/pcodedmp" - }, { "name": "macos:unifiedlog", "channel": "Detection of altered _VBA_PROJECT or PerformanceCache streams" }, - { - "name": "EDR:file", - "channel": "File Metadata Inspection (Low String Entropy, Missing PDB)" - }, - { - "name": "linux:osquery", - "channel": "hash, elf_info, file_metadata" - }, - { - "name": "macos:osquery", - "channel": "code_signing, file_metadata" - }, - { - "name": "WinEventLog:Windows Defender", - "channel": "Operational log" - }, { "name": "macos:unifiedlog", "channel": "subsystem:syspolicyd" @@ -95,94 +268,18 @@ "name": "macos:unifiedlog", "channel": "File metadata updated with UF_HIDDEN flag" }, - { - "name": "WinEventLog:Sysmon", - "channel": "EventCode=15" - }, - { - "name": "auditd:PATH", - "channel": "file path matches exclusion directories" - }, - { - "name": "auditd:SYSCALL", - "channel": "PATH" - }, - { - "name": "auditd:PATH", - "channel": "PATH" - }, - { - "name": "macos:endpointsecurity", - "channel": "es_event_file_rename_t or es_event_file_write_t" - }, - { - "name": "linux:osquery", - "channel": "file_events" - }, - { - "name": "fs:fileevents", - "channel": "/var/log/install.log" - }, - { - "name": "auditd:SYSCALL", - "channel": "file write after sleep delay" - }, - { - "name": "esxi:vmkernel", - "channel": "Upload of file to datastore" - }, - { - "name": "ebpf:syscalls", - "channel": "Unexpected container volume unmount + file deletion" - }, - { - "name": "macos:osquery", - "channel": "file_events" - }, - { - "name": "EDR:file", - "channel": "File Metadata Analysis (PE overlays, entropy)" - }, - { - "name": "linux:osquery", - "channel": "elf_info, hash, yara_matches" - }, - { - "name": "macos:osquery", - "channel": "mach_o_info, file_metadata" - }, { "name": "macos:unifiedlog", "channel": "Code signature validation fails or is absent post-binary modification" }, - { - "name": "fs:filesystem", - "channel": "Binary file hash changes outside of update/patch cycles" - }, - { - "name": "linux:osquery", - "channel": "Read headers and detect MIME type mismatch" - }, { "name": "macos:unifiedlog", "channel": "Code signing verification failures or bypassed trust decisions" }, - { - "name": "NSM:Flow", - "channel": "Observed File Transfers" - }, - { - "name": "esxi:vmkernel", - "channel": "Storage access and file ops" - }, { "name": "macos:unifiedlog", "channel": "Creation of new LaunchAgent or LoginItem plist files in ~/Library/LaunchAgents/" }, - { - "name": "auditd:CONFIG_CHANGE", - "channel": "chmod or chown of hook files indicating privilege escalation or execution permission change" - }, { "name": "macos:unifiedlog", "channel": "filesystem events" @@ -195,46 +292,6 @@ "name": "macos:unifiedlog", "channel": "Gatekeeper quarantine policy decision anomalies recorded in com.apple.LaunchServices.QuarantineEventsV2" }, - { - "name": "linux:syslog", - "channel": "application or system execution logs" - }, - { - "name": "WinEventLog:Security", - "channel": "EventCode=4663, 4670, 4656" - }, - { - "name": "auditd:SYSCALL", - "channel": "syscall in (chmod, fchmod, fchmodat, chown, fchown, fchownat, setxattr, lsetxattr, fsetxattr)" - }, - { - "name": "linux:syslog", - "channel": "file permission modification events in kernel messages" - }, - { - "name": "fs:fsevents", - "channel": "file system events indicating permission or attribute changes" - }, - { - "name": "OpenBSM:AuditTrail", - "channel": "BSM audit events for file permission modifications" - }, - { - "name": "esxi:hostd", - "channel": "host daemon events related to file or VM permission changes" - }, - { - "name": "esxi:vmkernel", - "channel": "VMware kernel events for file system permission modifications" - }, - { - "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational", - "channel": "Unsigned or invalid image for newly installed/updated binaries" - }, - { - "name": "journald:package", - "channel": "dpkg/apt/yum/dnf transaction logs; vendor updaters in systemd journals" - }, { "name": "macos:unifiedlog", "channel": "pkginstalld/softwareupdated/Homebrew install transactions" @@ -243,134 +300,26 @@ "name": "macos:unifiedlog", "channel": "AMFI/Gatekeeper code signature or notarization failures" }, - { - "name": "EDR:detection", - "channel": "App reputation telemetry" - }, - { - "name": "gatekeeper/quarantine database", - "channel": "LaunchServices quarantine" - }, - { - "name": "linux:osquery", - "channel": "file_events.path" - }, - { - "name": "auditd:SYSCALL", - "channel": "setuid or setgid bit changes" - }, - { - "name": "linux:osquery", - "channel": "Filesystem modifications to trusted paths" - }, - { - "name": "fs:fsusage", - "channel": "filesystem monitoring of exec/open" - }, - { - "name": "auditd:SYSCALL", - "channel": "syscall in (chmod, fchmod, fchmodat, chown, fchown, fchownat, lchown, setxattr, lsetxattr, fsetxattr, removexattr, lremovexattr, fremovexattr)" - }, - { - "name": "auditd:PATH", - "channel": "file path modifications on critical system directories (/etc, /usr/bin, /usr/sbin, /var, /opt)" - }, - { - "name": "linux:syslog", - "channel": "kernel messages related to file system permission changes and security violations" - }, - { - "name": "OpenBSM:AuditTrail", - "channel": "BSM audit events for file permission, ownership, and attribute modifications with user context" - }, { "name": "macos:unifiedlog", "channel": "kernel extension and system extension logs related to file system security violations or SIP bypass attempts" }, - { - "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational", - "channel": "Code integrity violations in boot-start drivers or firmware" - }, - { - "name": "fwupd:logs", - "channel": "Firmware updates applied or failed" - }, - { - "name": "macos:endpointsecurity", - "channel": "es_event_authentication" - }, - { - "name": "esxi:vmkernel", - "channel": "Datastore modification events" - }, - { - "name": "linux:osquery", - "channel": "Write or modify .desktop file in XDG autostart path" - }, { "name": "macos:unifiedlog", "channel": "Unexpected application binary modifications or altered signing status" }, - { - "name": "auditd:SYSCALL", - "channel": "setxattr or getxattr system call" - }, { "name": "macos:unifiedlog", "channel": "extended attribute write or modification" }, - { - "name": "WinEventLog:Security", - "channel": "EventCode=4663, 4656, 4658" - }, - { - "name": "auditd:SYSCALL", - "channel": "chmod, chown, setxattr, or file writes to /etc/ssl/* or /usr/local/share/ca-certificates/*" - }, { "name": "macos:unifiedlog", "channel": "New certificate trust settings added by unexpected process" }, - { - "name": "esxi:syslog", - "channel": "Datastore file hidden or renamed unexpectedly" - }, - { - "name": "WinEventLog:Windows Defender", - "channel": "Operational" - }, { "name": "macos:unifiedlog", "channel": "subsystem=com.apple.lsd" }, - { - "name": "saas:RepoEvents", - "channel": "New file added or modified in PR targeting CI/CD or build config (e.g., `gitlab-ci.yml`, `build.gradle`, `pom.xml`, `.github/workflows/*.yml`)" - }, - { - "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational", - "channel": "CodeIntegrity reports 'Invalid image hash' or 'Unsigned image' for new/updated binaries" - }, - { - "name": "WinEventLog:Microsoft-Windows-Windows Defender/Operational", - "channel": "SmartScreen or ASR blocks on newly downloaded installer/updater" - }, - { - "name": "WinEventLog:Setup", - "channel": "MSI/Product install, repair or update events" - }, - { - "name": "journald:package", - "channel": "dpkg/apt install, remove, upgrade events" - }, - { - "name": "journald:package", - "channel": "yum/dnf install or update transactions" - }, - { - "name": "linux:osquery", - "channel": "hash, rpm_packages, deb_packages, file_events" - }, { "name": "macos:unifiedlog", "channel": "installer or system_installd 'PackageKit: install succeeded/failed' with non-notarized or unknown signer" @@ -379,13 +328,73 @@ "name": "macos:unifiedlog", "channel": "Gatekeeper/AMFI 'code signature invalid' / 'not notarized' messages" }, + { + "name": "macos:unifiedlog", + "channel": "File creation or modification with com.apple.ResourceFork extended attribute" + }, { "name": "networkdevice:syslog", "channel": "OS version query results inconsistent with expected or approved version list" }, { - "name": "macos:unifiedlog", - "channel": "File creation or modification with com.apple.ResourceFork extended attribute" + "name": "NSM:Flow", + "channel": "Observed File Transfers" + }, + { + "name": "OpenBSM:AuditTrail", + "channel": "BSM audit events for file permission modifications" + }, + { + "name": "OpenBSM:AuditTrail", + "channel": "BSM audit events for file permission, ownership, and attribute modifications with user context" + }, + { + "name": "saas:RepoEvents", + "channel": "New file added or modified in PR targeting CI/CD or build config (e.g., `gitlab-ci.yml`, `build.gradle`, `pom.xml`, `.github/workflows/*.yml`)" + }, + { + "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational", + "channel": "Invalid/Unsigned image when developer tool launches newly installed binaries" + }, + { + "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational", + "channel": "Unsigned or invalid image for newly installed/updated binaries" + }, + { + "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational", + "channel": "Code integrity violations in boot-start drivers or firmware" + }, + { + "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational", + "channel": "CodeIntegrity reports 'Invalid image hash' or 'Unsigned image' for new/updated binaries" + }, + { + "name": "WinEventLog:Microsoft-Windows-Windows Defender/Operational", + "channel": "SmartScreen or ASR blocks on newly downloaded installer/updater" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=4663, 4670, 4656" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=4663, 4656, 4658" + }, + { + "name": "WinEventLog:Setup", + "channel": "MSI/Product install, repair or update events" + }, + { + "name": "WinEventLog:Sysmon", + "channel": "EventCode=15" + }, + { + "name": "WinEventLog:Windows Defender", + "channel": "Operational log" + }, + { + "name": "WinEventLog:Windows Defender", + "channel": "Operational" } ] } diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222.json index d114d207dd..3b89399bba 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b72ab2f9-877c-4407-b127-81faa1734fbe", + "id": "bundle--5c0f1ae7-100c-4cfb-bb8d-f95cab7b6891", "spec_version": "2.0", "objects": [ { @@ -19,7 +19,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-20T18:21:23.994Z", "name": "Service Modification", "description": "Changes made to an existing service or daemon, such as modifying the service name, start type, execution parameters, or security configurations.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -28,9 +28,13 @@ "ics-attack", "enterprise-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ + { + "name": "esxi:hostd", + "channel": "service state change" + }, { "name": "Service", "channel": "None" diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json index 3c9909b11e..c955ef2101 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fdfe423c-e33b-4554-b620-95e8b2ae0b7d", + "id": "bundle--8f574f82-e238-44a4-b59e-34d73a22f8e5", "spec_version": "2.0", "objects": [ { @@ -19,7 +19,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-24T19:47:16.123Z", "name": "Command Execution", "description": "Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples: \n\n- Windows Command Prompt\n - dir \u2013 Lists directory contents.\n - net user \u2013 Queries or manipulates user accounts.\n - tasklist \u2013 Lists running processes.\n- PowerShell\n - Get-Process \u2013 Retrieves processes running on a system.\n - Set-ExecutionPolicy \u2013 Changes PowerShell script execution policies.\n - Invoke-WebRequest \u2013 Downloads remote resources.\n- Linux Shell\n - ls \u2013 Lists files in a directory.\n - cat /etc/passwd \u2013 Reads the user accounts file.\n - curl http://malicious-site.com \u2013 Retrieves content from a malicious URL.\n- Container Environments\n - docker exec \u2013 Executes a command inside a running container.\n - kubectl exec \u2013 Runs commands in Kubernetes pods.\n- macOS Terminal\n - open \u2013 Opens files or URLs.\n - dscl . -list /Users \u2013 Lists all users on the system.\n - osascript -e \u2013 Executes AppleScript commands.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -29,64 +29,712 @@ "mobile-attack", "enterprise-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { - "name": "Command", - "channel": "None" + "name": "android:logcat", + "channel": "Command 'pm list packages' executed by app sandbox or child proc" + }, + { + "name": "auditd:CONFIG_CHANGE", + "channel": "udev rule reload or trigger command executed" + }, + { + "name": "auditd:EXECVE", + "channel": "execve of script/interpreter (bash, python, node) with suspicious encoded or non-printable content" + }, + { + "name": "auditd:EXECVE", + "channel": "Use of mv or cp to rename files with '.' prefix" + }, + { + "name": "auditd:EXECVE", + "channel": "execve: Execution of update-ca-certificates or trust anchor modification commands" + }, + { + "name": "auditd:EXECVE", + "channel": "gcore, gdb, strings, hexdump execution" + }, + { + "name": "auditd:EXECVE", + "channel": "Execution of auditctl, systemctl stop auditd, or kill -9 auditd" + }, + { + "name": "auditd:EXECVE", + "channel": "execution of systemctl with subcommands start, stop, enable, disable" + }, + { + "name": "auditd:EXECVE", + "channel": "Execution of GUI-related binaries with suppressed window/display flags" + }, + { + "name": "auditd:EXECVE", + "channel": "curl -X POST, wget --post-data" + }, + { + "name": "auditd:EXECVE", + "channel": "command line arguments containing lsblk, fdisk, parted" + }, + { + "name": "auditd:EXECVE", + "channel": "exec: Execution of dd, efibootmgr, or flashrom modifying firmware/boot partitions" + }, + { + "name": "auditd:EXECVE", + "channel": "curl -d, wget --post-data" + }, + { + "name": "auditd:EXECVE", + "channel": "grep/cat/awk on files with password fields" + }, + { + "name": "auditd:EXECVE", + "channel": "git push, curl -X POST" + }, + { + "name": "auditd:EXECVE", + "channel": "Execution of gsettings set org.gnome.login-screen disable-user-list true" + }, + { + "name": "auditd:EXECVE", + "channel": "execution of setfattr or getfattr commands" + }, + { + "name": "auditd:EXECVE", + "channel": "Process execution of update-ca-certificates or openssl with suspicious arguments" + }, + { + "name": "auditd:EXECVE", + "channel": "Execution of chattr to set +i or +a attributes" + }, + { + "name": "auditd:EXECVE", + "channel": "curl or wget with POST/PUT options" + }, + { + "name": "auditd:EXECVE", + "channel": "curl -T, rclone copy" + }, + { + "name": "auditd:EXECVE", + "channel": "execve of curl,wget,bash,sh,python with piped or remote content" + }, + { + "name": "auditd:EXECVE", + "channel": "execve, kill, ptrace, insmod, rmmod targeting security processes" + }, + { + "name": "auditd:PROCTITLE", + "channel": "proctitle contains chmod, chown, setfacl, or attr commands with suspicious parameters" + }, + { + "name": "auditd:PROCTITLE", + "channel": "proctitle contains chmod, chown, chgrp, setfacl, or attr with suspicious parameters (777, 755, +x, -R)" + }, + { + "name": "auditd:PROCTITLE", + "channel": "process title records containing discovery command sequences and environmental assessment patterns" + }, + { + "name": "auditd:PROCTITLE", + "channel": "command-line execution patterns for system discovery utilities (uname, hostname, ifconfig, netstat, lsof, ps, mount)" }, { "name": "auditd:SYSCALL", "channel": "execution of realmd, samba-tool, or ldapmodify with user-related arguments" }, { - "name": "macos:unifiedlog", - "channel": "dsconfigad or dscl with create or append options for AD-bound users" + "name": "auditd:SYSCALL", + "channel": "Execution of script interpreters by systemd timer (ExecStart)" }, { - "name": "EDR:AMSI", - "channel": "None" + "name": "auditd:SYSCALL", + "channel": "execve: Commands like systemctl stop , service stop, or kill -9 " }, { - "name": "linux:syslog", - "channel": "cron activity" + "name": "auditd:SYSCALL", + "channel": "execve calls to locale, timedatectl, or cat /etc/timezone" }, { - "name": "WinEventLog:PowerShell", - "channel": "Get-ADTrust|GetAllTrustRelationships" + "name": "auditd:SYSCALL", + "channel": "sleep function usage or loops (nanosleep, usleep) in scripts" }, { - "name": "gcp:audit", + "name": "auditd:SYSCALL", + "channel": "connect, execve, write" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve call including 'nohup' or trailing '&'" + }, + { + "name": "auditd:SYSCALL", "channel": "None" }, { "name": "auditd:SYSCALL", - "channel": "Execution of script interpreters by systemd timer (ExecStart)" + "channel": "execve: Commands executed within an SSH session where no matching logon/authentication event exists" + }, + { + "name": "auditd:SYSCALL", + "channel": "chmod, execve" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: iptables, nft, firewall-cmd modifications" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: Invocation of scp, rsync, curl, or sftp" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve calls modifying local mail filter configuration files" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: process_name IN (\"virsh\", \"VBoxManage\", \"qemu-img\") AND command IN (\"list\", \"info\")" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: service stop syslog, systemctl stop rsyslog, kill -9 syslog" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: openssl pkcs12, certutil, keytool" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: Process in container namespace executes curl|wget|bash|sh|python|nc with outbound args" + }, + { + "name": "auditd:SYSCALL", + "channel": "execution of systemctl or service with enable/start parameters" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: Execution of cat, less, grep, journalctl targeting log directories (/var/log/)" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: Execution of python, perl, or custom binaries invoking compression libraries" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve, USER_CMD" + }, + { + "name": "auditd:SYSCALL", + "channel": "bash/zsh of base64, tar, gzip, or openssl immediately after file write" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: Processes executing sendmail/postfix with forged headers" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: Execution of tar, gzip, bzip2, xz, zip, or openssl with compression/encryption arguments" + }, + { + "name": "auditd:SYSCALL", + "channel": "promiscuous mode transitions (ioctl or ifconfig)" + }, + { + "name": "auditd:SYSCALL", + "channel": "chattr, rm, shred, dd run on recovery directories or partitions" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: Execution of curl or wget writing files to /tmp/* followed by chmod or execution" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: Execution of downgraded interpreters such as python2 or forced fallback commands" + }, + { + "name": "auditd:SYSCALL", + "channel": "Command line arguments including SPApplicationsDataType" + }, + { + "name": "auditd:SYSCALL", + "channel": "Execution of spoofing tools (e.g., hping3, nping, scapy) sending UDP packets to known amplifier ports" + }, + { + "name": "auditd:SYSCALL", + "channel": "execution of tools like cat, grep, or awk on credential files" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve of curl, rsync, wget with internal knowledge base or IPs" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: Execution of systemctl, loginctl, or systemd-inhibit commands related to sleep/hibernate" + }, + { + "name": "auditd:SYSCALL", + "channel": "Execution of xev, xdotool, or input activity emulators" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: Execution of interpreters creating archive-like outputs without calling tar/gzip" + }, + { + "name": "auditd:SYSCALL", + "channel": "Execution of insmod, modprobe, or rmmod commands by non-standard users or outside expected timeframes" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve syscalls for discovery commands (uname, hostname, id, whoami, ps, netstat, mount) with command-line parameter analysis" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: Execution of curl, wget, or custom scripts accessing financial endpoints" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: Execution of tar, gzip, bzip2, or openssl with output redirection" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve=/sbin/shutdown or /sbin/reboot" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve calls modifying HISTFILE or HISTCONTROL via unset/export" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve calls to /usr/bin/locale or shell execution of $LANG" + }, + { + "name": "auditd:SYSCALL", + "channel": "execution of systemctl or service with enable/start/modify" + }, + { + "name": "auditd:SYSCALL", + "channel": "execve: Execution of lsmod, modinfo, or cat /proc/modules" + }, + { + "name": "auditd:USER_CMD", + "channel": "USER_CMD" }, { "name": "AWS:CloudTrail", "channel": "InvokeFunction" }, { - "name": "m365:unified", - "channel": "Automated forwarding or file sync initiated by a logic app" + "name": "AWS:CloudTrail", + "channel": "eventName: RunInstances, CreateUser, PutRolePolicy, InvokeCommand" }, { - "name": "WinEventLog:PowerShell", - "channel": "EventCode=4103, 4104, 4105, 4106" + "name": "AWS:CloudTrail", + "channel": "SSM RunCommand" }, { - "name": "linux:syslog", - "channel": "Suspicious script or command execution targeting browser folders" + "name": "AWS:CloudTrail", + "channel": "GetLogEvents: High frequency log exports from CloudWatch or equivalent services" + }, + { + "name": "AWS:CloudTrail", + "channel": "command-line execution invoking credential enumeration" + }, + { + "name": "AWS:CloudTrail", + "channel": "ssm:GetCommandInvocation" + }, + { + "name": "AWS:CloudTrail", + "channel": "SendCommand, StartSession, ExecuteCommand: Unexpected AWS Systems Manager command execution targeting EC2 instances" + }, + { + "name": "azure:activity", + "channel": "Intune PowerShell Scripts" + }, + { + "name": "azure:signinlogs", + "channel": "OperationName=SetDomainAuthentication OR Update-MsolFederatedDomain" + }, + { + "name": "Command", + "channel": "None" + }, + { + "name": "docker:api", + "channel": "docker logs access or container inspect commands from non-administrative users" + }, + { + "name": "docker:daemon", + "channel": "docker exec or docker run with unexpected command/entrypoint" + }, + { + "name": "docker:events", + "channel": "container exec rm|container stop --force" + }, + { + "name": "ebpf:syscalls", + "channel": "useradd or /etc/passwd modified inside container" + }, + { + "name": "EDR:AMSI", + "channel": "None" + }, + { + "name": "EDR:cli", + "channel": "Command Line Telemetry" + }, + { + "name": "esxi:hostd", + "channel": "command execution" + }, + { + "name": "esxi:hostd", + "channel": "/var/log/hostd.log" + }, + { + "name": "esxi:hostd", + "channel": "modification of config files or shell command execution" + }, + { + "name": "esxi:hostd", + "channel": "shell access or job registration" + }, + { + "name": "esxi:hostd", + "channel": "logline inspection" + }, + { + "name": "esxi:hostd", + "channel": "esxcli network firewall set commands" + }, + { + "name": "esxi:hostd", + "channel": "event stream" + }, + { + "name": "esxi:hostd", + "channel": "scp/ssh used to move file across hosts" + }, + { + "name": "esxi:hostd", + "channel": "None" + }, + { + "name": "esxi:hostd", + "channel": "esxcli system syslog config set or reload" + }, + { + "name": "esxi:hostd", + "channel": "command log" + }, + { + "name": "esxi:hostd", + "channel": "Execution of '/bin/vmx' or modifications to '/etc/rc.local.d/local.sh'" + }, + { + "name": "esxi:hostd", + "channel": "Command Execution" + }, + { + "name": "esxi:hostd", + "channel": "remote CLI + vim-cmd logging" + }, + { + "name": "esxi:hostd", + "channel": "execution + payload hints" + }, + { + "name": "esxi:shell", + "channel": "esxcli system syslog config set/reload, services.sh restart/stop" }, { "name": "esxi:shell", "channel": "snapshot create/copy, esxcli" }, { - "name": "auditd:SYSCALL", - "channel": "execve: Commands like systemctl stop , service stop, or kill -9 " + "name": "esxi:shell", + "channel": "interactive shell" + }, + { + "name": "esxi:shell", + "channel": "/var/log/shell.log" + }, + { + "name": "esxi:shell", + "channel": "invoked remote scripts (esxcli)" + }, + { + "name": "esxi:shell", + "channel": "base64 or gzip use within shell session" + }, + { + "name": "esxi:shell", + "channel": "scripts or binaries with misleading names" + }, + { + "name": "esxi:shell", + "channel": "/var/log/shell.log entries containing \"esxcli system clock get\"" + }, + { + "name": "esxi:shell", + "channel": "None" + }, + { + "name": "esxi:shell", + "channel": "command IN (\"esxcli vm process list\", \"vim-cmd vmsvc/getallvms\")" + }, + { + "name": "esxi:shell", + "channel": "openssl|tar|dd" + }, + { + "name": "esxi:shell", + "channel": "Execution of cat, tail, grep targeting /var/log/vmkernel.log or /var/log/hostd.log" + }, + { + "name": "esxi:shell", + "channel": "CLI usage logs" + }, + { + "name": "esxi:shell", + "channel": "Command execution trace" + }, + { + "name": "esxi:shell", + "channel": "shell command execution for chmod, chown, or file permission modification on VMFS or system files" + }, + { + "name": "esxi:shell", + "channel": "esxcli system syslog config set --loghost='' or stopping hostd service" + }, + { + "name": "esxi:shell", + "channel": "Shell Access/Command Execution" + }, + { + "name": "esxi:shell", + "channel": "esxcli software vib list" + }, + { + "name": "esxi:shell", + "channel": "/root/.ash_history" + }, + { + "name": "esxi:shell", + "channel": "mv, rename, or chmod commands moving VM files into hidden directories" + }, + { + "name": "esxi:shell", + "channel": "`esxcli software vib install` with `--force` or `--no-sig-check` from shell history or `shell.log`" + }, + { + "name": "esxi:shell", + "channel": "CLI session activity" + }, + { + "name": "esxi:shell", + "channel": "esxcli system shutdown or reboot invoked" + }, + { + "name": "esxi:shell", + "channel": "shell command execution for system discovery (vim-cmd, esxcli, vmware-cmd) targeting VM inventory and host configuration" + }, + { + "name": "esxi:shell", + "channel": "unset HISTFILE or HISTFILESIZE modifications" + }, + { + "name": "esxi:syslog", + "channel": "boot logs" + }, + { + "name": "esxi:vmkernel", + "channel": "/var/log/vmkernel.log" + }, + { + "name": "esxi:vmkernel", + "channel": "DCUI shell start, BusyBox activity" + }, + { + "name": "esxi:vmkernel", + "channel": "esxcli system account add" + }, + { + "name": "esxi:vmkernel", + "channel": "Unexpected restarts of management agents or shell access" + }, + { + "name": "esxi:vmkernel", + "channel": "esxcli, vim-cmd invocation" + }, + { + "name": "esxi:vobd", + "channel": "shell session start" + }, + { + "name": "esxi:vpxd", + "channel": "vCenter Management" + }, + { + "name": "fs:fsusage", + "channel": "file system activity monitor" + }, + { + "name": "fs:fsusage", + "channel": "access to BPF devices or interface IOCTLs" + }, + { + "name": "gcp:audit", + "channel": "None" + }, + { + "name": "gcp:audit", + "channel": "methodName: setIamPolicy, startInstance, createServiceAccount" + }, + { + "name": "kubernetes:audit", + "channel": "Shell process (e.g., /bin/sh, /bin/bash) spawned in a container without an interactive session attached (i.e., automation anomaly)" + }, + { + "name": "kubernetes:audit", + "channel": "process execution involving curl, grep, or awk on secrets" + }, + { + "name": "linus:syslog", + "channel": "None" + }, + { + "name": "linux:cli", + "channel": "command logging" + }, + { + "name": "linux:cli", + "channel": "Shell history logs" + }, + { + "name": "linux:cli", + "channel": "Terminal Command History" + }, + { + "name": "linux:cli", + "channel": "/home/*/.bash_history" + }, + { + "name": "linux:osquery", + "channel": "Command-line includes base64 -d or openssl enc -d" + }, + { + "name": "linux:osquery", + "channel": "process_events.command_line" + }, + { + "name": "linux:shell", + "channel": "Manual invocation of software enumeration commands via interactive shell" + }, + { + "name": "linux:syslog", + "channel": "cron activity" + }, + { + "name": "linux:syslog", + "channel": "Suspicious script or command execution targeting browser folders" + }, + { + "name": "linux:syslog", + "channel": "Unusual outbound transfers from CLI tools like base64, gzip, or netcat" + }, + { + "name": "linux:syslog", + "channel": "sudo chage|grep pam_pwquality|cat /etc/login.defs" + }, + { + "name": "linux:syslog", + "channel": "sudo execution of ffmpeg/gst-launch/v4l2-ctl by non-standard user" + }, + { + "name": "linux:syslog", + "channel": "sshd logs" + }, + { + "name": "linux:syslog", + "channel": "CLI access to 'show running-config', 'show password', or 'cat config.txt'" + }, + { + "name": "linux:syslog", + "channel": "Sudo or root escalation followed by filesystem mount commands" + }, + { + "name": "linuxsyslog", + "channel": "nslcd or winbind logs" + }, + { + "name": "m365:defender", + "channel": "Activity Log: Command Invocation" + }, + { + "name": "m365:exchange", + "channel": "Cmdlet: Get-GlobalAddressList, Get-Recipient" + }, + { + "name": "m365:exchange", + "channel": "Get-RoleGroup, Get-DistributionGroup" + }, + { + "name": "m365:messagetrace", + "channel": "Inbound email triggers execution of mailbox-stored custom form" + }, + { + "name": "m365:messagetrace", + "channel": "Inbound email matches crafted rule trigger pattern tied to persistence logic" + }, + { + "name": "m365:messagetrace", + "channel": "Inbound email triggering Outlook to auto-access folder tied to malicious Home Page" + }, + { + "name": "m365:office", + "channel": "Startup execution includes non-default component" + }, + { + "name": "m365:office", + "channel": "Execution of unsigned macro from template" + }, + { + "name": "m365:unified", + "channel": "Automated forwarding or file sync initiated by a logic app" + }, + { + "name": "m365:unified", + "channel": "Search-Mailbox, Get-MessageTrace, eDiscovery requests" + }, + { + "name": "m365:unified", + "channel": "Set-Mailbox, New-InboxRule" + }, + { + "name": "m365:unified", + "channel": "Set-Mailbox, Set-MailboxPolicy, Set-TrustedLocation" + }, + { + "name": "macos:osquery", + "channel": "Interpreter exec with suspicious arguments as above" + }, + { + "name": "macos:osquery", + "channel": "launchd + process_events" + }, + { + "name": "macos:syslog", + "channel": "system.log" + }, + { + "name": "macos:syslog", + "channel": "/var/log/system.log" + }, + { + "name": "macos:unifiedlog", + "channel": "dsconfigad or dscl with create or append options for AD-bound users" }, { "name": "macos:unifiedlog", @@ -100,42 +748,14 @@ "name": "macos:unifiedlog", "channel": "log stream --predicate" }, - { - "name": "WinEventLog:PowerShell", - "channel": "Execution of Microsoft script to enumerate custom forms in Outlook mailbox" - }, - { - "name": "m365:messagetrace", - "channel": "Inbound email triggers execution of mailbox-stored custom form" - }, - { - "name": "auditd:EXECVE", - "channel": "Use of mv or cp to rename files with '.' prefix" - }, { "name": "macos:unifiedlog", "channel": "Execution of chflags hidden or SetFile -a V" }, - { - "name": "esxi:shell", - "channel": "interactive shell" - }, - { - "name": "networkdevice:cli", - "channel": "CLI command" - }, { "name": "macos:unifiedlog", "channel": "log stream" }, - { - "name": "esxi:vmkernel", - "channel": "/var/log/vmkernel.log" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve calls to locale, timedatectl, or cat /etc/timezone" - }, { "name": "macos:unifiedlog", "channel": "defaults read -g AppleLocale, systemsetup -gettimezone" @@ -144,126 +764,22 @@ "name": "macos:unifiedlog", "channel": "profiles install -type=configuration" }, - { - "name": "auditd:SYSCALL", - "channel": "sleep function usage or loops (nanosleep, usleep) in scripts" - }, - { - "name": "m365:unified", - "channel": "Search-Mailbox, Get-MessageTrace, eDiscovery requests" - }, - { - "name": "EDR:cli", - "channel": "Command Line Telemetry" - }, { "name": "macos:unifiedlog", "channel": "log stream --predicate 'eventMessage contains \"loginwindow\" or \"pfctl\"'" }, - { - "name": "networkdevice:syslog", - "channel": "Command Audit / Configuration Change" - }, - { - "name": "WinEventLog:Microsoft-Office/OutlookAddinMonitor", - "channel": "Outlook loading add-in via unexpected load path or non-default profile context" - }, { "name": "macos:unifiedlog", "channel": "exec or sudo usage with NOPASSWD context or echo modifying sudoers" }, - { - "name": "WinEventLog:Security", - "channel": "EventCode=4103, 4104, 4105, 4106" - }, - { - "name": "auditd:EXECVE", - "channel": "execve: Execution of update-ca-certificates or trust anchor modification commands" - }, { "name": "macos:unifiedlog", "channel": "Execution of /usr/bin/security add-trusted-cert or keychain modifications to System.keychain" }, - { - "name": "auditd:EXECVE", - "channel": "gcore, gdb, strings, hexdump execution" - }, - { - "name": "auditd:SYSCALL", - "channel": "connect, execve, write" - }, - { - "name": "esxi:hostd", - "channel": "command execution" - }, - { - "name": "auditd:EXECVE", - "channel": "Execution of auditctl, systemctl stop auditd, or kill -9 auditd" - }, - { - "name": "macos:syslog", - "channel": "system.log" - }, - { - "name": "esxi:hostd", - "channel": "/var/log/hostd.log" - }, - { - "name": "esxi:shell", - "channel": "/var/log/shell.log" - }, - { - "name": "docker:daemon", - "channel": "docker exec or docker run with unexpected command/entrypoint" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve call including 'nohup' or trailing '&'" - }, { "name": "macos:unifiedlog", "channel": "nohup, disown, or osascript execution patterns" }, - { - "name": "WinEventLog:PowerShell", - "channel": "CommandLine=copy-item or robocopy from UNC path" - }, - { - "name": "esxi:shell", - "channel": "invoked remote scripts (esxcli)" - }, - { - "name": "auditd:EXECVE", - "channel": "execution of systemctl with subcommands start, stop, enable, disable" - }, - { - "name": "networkdevice:cli", - "channel": "Policy Update" - }, - { - "name": "auditd:SYSCALL", - "channel": "None" - }, - { - "name": "AWS:CloudTrail", - "channel": "eventName: RunInstances, CreateUser, PutRolePolicy, InvokeCommand" - }, - { - "name": "gcp:audit", - "channel": "methodName: setIamPolicy, startInstance, createServiceAccount" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Commands executed within an SSH session where no matching logon/authentication event exists" - }, - { - "name": "esxi:hostd", - "channel": "modification of config files or shell command execution" - }, - { - "name": "kubernetes:audit", - "channel": "Shell process (e.g., /bin/sh, /bin/bash) spawned in a container without an interactive session attached (i.e., automation anomaly)" - }, { "name": "macos:unifiedlog", "channel": "Execution of 'profiles install -type=configuration'" @@ -272,46 +788,14 @@ "name": "macos:unifiedlog", "channel": "subsystem:com.apple.Terminal" }, - { - "name": "networkdevice:syslog", - "channel": "eventlog" - }, - { - "name": "esxi:hostd", - "channel": "shell access or job registration" - }, - { - "name": "WinEventLog:PowerShell", - "channel": "PowerShell launched from outlook.exe or triggered without user invocation" - }, - { - "name": "m365:messagetrace", - "channel": "Inbound email matches crafted rule trigger pattern tied to persistence logic" - }, - { - "name": "linus:syslog", - "channel": "None" - }, - { - "name": "linux:syslog", - "channel": "Unusual outbound transfers from CLI tools like base64, gzip, or netcat" - }, { "name": "macos:unifiedlog", "channel": "base64 or curl processes chained within short execution window" }, - { - "name": "esxi:shell", - "channel": "base64 or gzip use within shell session" - }, { "name": "macos:unifiedlog", "channel": "exec: Invocation of /usr/bin/defaults write or /usr/bin/plutil modifying plist keys" }, - { - "name": "auditd:SYSCALL", - "channel": "chmod, execve" - }, { "name": "macos:unifiedlog", "channel": "chmod command with arguments including '+s', 'u+s', or numeric values 4000\u20136777" @@ -320,698 +804,118 @@ "name": "macos:unifiedlog", "channel": "command includes dscl . delete or sysadminctl --deleteUser" }, - { - "name": "fs:fsusage", - "channel": "file system activity monitor" - }, - { - "name": "networkdevice:cli", - "channel": "ip ssh pubkey-chain" - }, - { - "name": "esxi:shell", - "channel": "scripts or binaries with misleading names" - }, - { - "name": "auditd:EXECVE", - "channel": "Execution of GUI-related binaries with suppressed window/display flags" - }, - { - "name": "linuxsyslog", - "channel": "nslcd or winbind logs" - }, { "name": "macos:unifiedlog", "channel": "DS daemon log entries" }, - { - "name": "esxi:hostd", - "channel": "logline inspection" - }, { "name": "macos:unifiedlog", "channel": "diskutil eraseDisk / asr restore with destructive flags" }, - { - "name": "networkdevice:cli", - "channel": "erase flash:, erase startup-config, format disk" - }, - { - "name": "networkdevice:syslog", - "channel": "command_exec" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: iptables, nft, firewall-cmd modifications" - }, { "name": "macos:unifiedlog", "channel": "pfctl -d, socketfilterfw --setglobalstate off, or modifications to com.apple.alf" }, - { - "name": "esxi:hostd", - "channel": "esxcli network firewall set commands" - }, - { - "name": "docker:events", - "channel": "container exec rm|container stop --force" - }, - { - "name": "esxi:hostd", - "channel": "event stream" - }, - { - "name": "networkdevice:cli", - "channel": "CLI command logs" - }, - { - "name": "esxi:shell", - "channel": "/var/log/shell.log entries containing \"esxcli system clock get\"" - }, - { - "name": "networkdevice:syslog", - "channel": "command-exec: CLI commands containing \"show clock\", \"show clock detail\", \"show timezone\" executed by suspicious user/source" - }, - { - "name": "networkdevice:cli", - "channel": "cmd: cmd=show clock detail" - }, - { - "name": "auditd:EXECVE", - "channel": "curl -X POST, wget --post-data" - }, - { - "name": "linux:syslog", - "channel": "sudo chage|grep pam_pwquality|cat /etc/login.defs" - }, { "name": "macos:unifiedlog", "channel": "pwpolicy|PasswordPolicy" }, - { - "name": "networkdevice:syslog", - "channel": "cmd='show aaa*' OR 'show running-config | include password|aaa' OR 'show aaa common-criteria policy all'" - }, - { - "name": "networkdevice:syslog", - "channel": "CLI command audit" - }, - { - "name": "networkdevice:cli", - "channel": "Execution of commands to load, copy, or replace system images (e.g., 'copy tftp flash', 'boot system')" - }, - { - "name": "WinEventLog:PowerShell", - "channel": "Execution of PowerShell script to enumerate or remove malicious Home Page folder config" - }, - { - "name": "m365:messagetrace", - "channel": "Inbound email triggering Outlook to auto-access folder tied to malicious Home Page" - }, { "name": "macos:unifiedlog", "channel": "Command line contains smbutil view //, mount_smbfs //" }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Invocation of scp, rsync, curl, or sftp" - }, - { - "name": "esxi:hostd", - "channel": "scp/ssh used to move file across hosts" - }, - { - "name": "auditd:EXECVE", - "channel": "command line arguments containing lsblk, fdisk, parted" - }, { "name": "macos:unifiedlog", "channel": "log messages related to disk enumeration context or Terminal session" }, - { - "name": "auditd:SYSCALL", - "channel": "execve calls modifying local mail filter configuration files" - }, - { - "name": "esxi:hostd", - "channel": "None" - }, - { - "name": "esxi:shell", - "channel": "None" - }, - { - "name": "networkdevice:cli", - "channel": "None" - }, - { - "name": "linux:syslog", - "channel": "sudo execution of ffmpeg/gst-launch/v4l2-ctl by non-standard user" - }, - { - "name": "docker:api", - "channel": "docker logs access or container inspect commands from non-administrative users" - }, - { - "name": "esxi:shell", - "channel": "command IN (\"esxcli vm process list\", \"vim-cmd vmsvc/getallvms\")" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: process_name IN (\"virsh\", \"VBoxManage\", \"qemu-img\") AND command IN (\"list\", \"info\")" - }, - { - "name": "esxi:shell", - "channel": "openssl|tar|dd" - }, - { - "name": "AWS:CloudTrail", - "channel": "SSM RunCommand" - }, - { - "name": "azure:activity", - "channel": "Intune PowerShell Scripts" - }, - { - "name": "m365:exchange", - "channel": "Cmdlet: Get-GlobalAddressList, Get-Recipient" - }, - { - "name": "networkdevice:cli", - "channel": "Execution of commands like 'show running-config', 'copy running-config', or 'export config'" - }, - { - "name": "esxi:syslog", - "channel": "boot logs" - }, - { - "name": "networkdevice:syslog", - "channel": "system boot logs" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: service stop syslog, systemctl stop rsyslog, kill -9 syslog" - }, { "name": "macos:unifiedlog", "channel": "defaults write com.apple.system.logging or logd manipulation" }, - { - "name": "esxi:hostd", - "channel": "esxcli system syslog config set or reload" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: openssl pkcs12, certutil, keytool" - }, { "name": "macos:unifiedlog", "channel": "process calling security find-certificate, export, or import" }, - { - "name": "networkdevice:cli", - "channel": "Execution of CLI commands altering crypto parameters (e.g., 'crypto key generate rsa modulus 512')" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Process in container namespace executes curl|wget|bash|sh|python|nc with outbound args" - }, - { - "name": "m365:exchange", - "channel": "Get-RoleGroup, Get-DistributionGroup" - }, - { - "name": "auditd:SYSCALL", - "channel": "execution of systemctl or service with enable/start parameters" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Execution of cat, less, grep, journalctl targeting log directories (/var/log/)" - }, { "name": "macos:unifiedlog", "channel": "Execution of log show, fs_usage, or cat targeting system.log" }, - { - "name": "AWS:CloudTrail", - "channel": "GetLogEvents: High frequency log exports from CloudWatch or equivalent services" - }, - { - "name": "esxi:shell", - "channel": "Execution of cat, tail, grep targeting /var/log/vmkernel.log or /var/log/hostd.log" - }, - { - "name": "esxi:shell", - "channel": "CLI usage logs" - }, - { - "name": "macos:syslog", - "channel": "/var/log/system.log" - }, { "name": "macos:unifiedlog", "channel": "execution of launchctl load/unload/start commands" }, - { - "name": "WinEventLog:PowerShell", - "channel": "Exchange Cmdlets" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Execution of python, perl, or custom binaries invoking compression libraries" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve, USER_CMD" - }, - { - "name": "auditd:USER_CMD", - "channel": "USER_CMD" - }, - { - "name": "esxi:shell", - "channel": "Command execution trace" - }, - { - "name": "auditd:SYSCALL", - "channel": "bash/zsh of base64, tar, gzip, or openssl immediately after file write" - }, - { - "name": "linux:osquery", - "channel": "Command-line includes base64 -d or openssl enc -d" - }, { "name": "macos:unifiedlog", "channel": "base64 -d or osascript invoked on staged file" }, - { - "name": "auditd:EXECVE", - "channel": "exec: Execution of dd, efibootmgr, or flashrom modifying firmware/boot partitions" - }, - { - "name": "auditd:EXECVE", - "channel": "curl -d, wget --post-data" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Processes executing sendmail/postfix with forged headers" - }, { "name": "macos:unifiedlog", "channel": "diskutil partitionDisk or eraseVolume with partition scheme modifications" }, - { - "name": "networkdevice:cli", - "channel": "format flash:, format disk, reformat commands" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Execution of tar, gzip, bzip2, xz, zip, or openssl with compression/encryption arguments" - }, - { - "name": "auditd:PROCTITLE", - "channel": "proctitle contains chmod, chown, setfacl, or attr commands with suspicious parameters" - }, - { - "name": "esxi:shell", - "channel": "shell command execution for chmod, chown, or file permission modification on VMFS or system files" - }, - { - "name": "networkdevice:Firewall", - "channel": "Audit trail or CLI/API access indicating commands like no access-list, delete rule-set, clear config" - }, - { - "name": "auditd:EXECVE", - "channel": "grep/cat/awk on files with password fields" - }, { "name": "macos:unifiedlog", "channel": "grep/cat on files matching credential patterns" }, - { - "name": "kubernetes:audit", - "channel": "process execution involving curl, grep, or awk on secrets" - }, - { - "name": "AWS:CloudTrail", - "channel": "command-line execution invoking credential enumeration" - }, - { - "name": "auditd:SYSCALL", - "channel": "promiscuous mode transitions (ioctl or ifconfig)" - }, - { - "name": "fs:fsusage", - "channel": "access to BPF devices or interface IOCTLs" - }, - { - "name": "networkdevice:syslog", - "channel": "exec command='monitor capture'" - }, - { - "name": "WinEventLog:Microsoft-Office-Alerts", - "channel": "Unexpected DLL or component loaded at Office startup" - }, - { - "name": "m365:office", - "channel": "Startup execution includes non-default component" - }, { "name": "macos:unifiedlog", "channel": "diskutil eraseDisk/zeroDisk or asr restore with destructive flags" }, - { - "name": "networkdevice:cli", - "channel": "erase flash:, erase nvram:, format disk" - }, { "name": "macos:unifiedlog", "channel": "spctl --master-disable, csrutil disable, or defaults write to disable Gatekeeper" }, - { - "name": "esxi:shell", - "channel": "esxcli system syslog config set --loghost='' or stopping hostd service" - }, - { - "name": "networkdevice:syslog", - "channel": "no logging buffered, no aaa new-model, disable firewall" - }, - { - "name": "auditd:EXECVE", - "channel": "git push, curl -X POST" - }, - { - "name": "linux:cli", - "channel": "command logging" - }, - { - "name": "esxi:hostd", - "channel": "command log" - }, - { - "name": "networkdevice:cli", - "channel": "command logs" - }, - { - "name": "networkdevice:syslog", - "channel": "interactive shell logging" - }, - { - "name": "esxi:hostd", - "channel": "Execution of '/bin/vmx' or modifications to '/etc/rc.local.d/local.sh'" - }, - { - "name": "auditd:SYSCALL", - "channel": "chattr, rm, shred, dd run on recovery directories or partitions" - }, - { - "name": "networkdevice:syslog", - "channel": "command sequence: erase \u2192 format \u2192 reload" - }, { "name": "macos:unifiedlog", "channel": "process: at, job runner" }, - { - "name": "macos:osquery", - "channel": "Interpreter exec with suspicious arguments as above" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Execution of curl or wget writing files to /tmp/* followed by chmod or execution" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Execution of downgraded interpreters such as python2 or forced fallback commands" - }, - { - "name": "auditd:PROCTITLE", - "channel": "proctitle contains chmod, chown, chgrp, setfacl, or attr with suspicious parameters (777, 755, +x, -R)" - }, - { - "name": "auditd:EXECVE", - "channel": "Execution of gsettings set org.gnome.login-screen disable-user-list true" - }, { "name": "macos:unifiedlog", "channel": "Execution of dscl . create with IsHidden=1" }, - { - "name": "linux:syslog", - "channel": "sshd logs" - }, - { - "name": "esxi:shell", - "channel": "Shell Access/Command Execution" - }, - { - "name": "networkdevice:syslog", - "channel": "CLI Command Logging" - }, - { - "name": "auditd:CONFIG_CHANGE", - "channel": "udev rule reload or trigger command executed" - }, - { - "name": "linux:cli", - "channel": "Shell history logs" - }, { "name": "macos:unifiedlog", "channel": "log stream --predicate 'processImagePath contains \"zip\" OR \"base64\"'" }, - { - "name": "networkdevice:cli", - "channel": "command logging" - }, - { - "name": "esxi:hostd", - "channel": "Command Execution" - }, - { - "name": "macos:osquery", - "channel": "launchd + process_events" - }, - { - "name": "esxi:vmkernel", - "channel": "DCUI shell start, BusyBox activity" - }, - { - "name": "esxi:hostd", - "channel": "remote CLI + vim-cmd logging" - }, - { - "name": "networkdevice:syslog", - "channel": "CLI Command Audit" - }, - { - "name": "m365:defender", - "channel": "Activity Log: Command Invocation" - }, - { - "name": "WinEventLog:PowerShell", - "channel": "CmdletName: Get-Recipient, Get-User" - }, - { - "name": "WinEventLog:PowerShell", - "channel": "Execution of 'Get-WmiObject Win32_Product' or similar PowerShell cmdlets" - }, - { - "name": "linux:shell", - "channel": "Manual invocation of software enumeration commands via interactive shell" - }, - { - "name": "auditd:SYSCALL", - "channel": "Command line arguments including SPApplicationsDataType" - }, - { - "name": "AWS:CloudTrail", - "channel": "ssm:GetCommandInvocation" - }, - { - "name": "esxi:shell", - "channel": "esxcli software vib list" - }, - { - "name": "auditd:EXECVE", - "channel": "execution of setfattr or getfattr commands" - }, { "name": "macos:unifiedlog", "channel": "xattr utility execution with -w or -p flags" }, - { - "name": "auditd:SYSCALL", - "channel": "Execution of spoofing tools (e.g., hping3, nping, scapy) sending UDP packets to known amplifier ports" - }, - { - "name": "auditd:SYSCALL", - "channel": "execution of tools like cat, grep, or awk on credential files" - }, { "name": "macos:unifiedlog", "channel": "execution of 'security', 'cat', or 'grep' commands accessing credential storage" }, - { - "name": "linux:syslog", - "channel": "CLI access to 'show running-config', 'show password', or 'cat config.txt'" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve of curl, rsync, wget with internal knowledge base or IPs" - }, - { - "name": "esxi:shell", - "channel": "/root/.ash_history" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Execution of systemctl, loginctl, or systemd-inhibit commands related to sleep/hibernate" - }, - { - "name": "auditd:SYSCALL", - "channel": "Execution of xev, xdotool, or input activity emulators" - }, { "name": "macos:unifiedlog", "channel": "launchctl load or boot-time plist registration" }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Execution of interpreters creating archive-like outputs without calling tar/gzip" - }, - { - "name": "networkdevice:syslog", - "channel": "command audit" - }, - { - "name": "networkdevice:cli", - "channel": "Interface commands" - }, { "name": "macos:unifiedlog", "channel": "dscl -create" }, - { - "name": "esxi:vmkernel", - "channel": "esxcli system account add" - }, - { - "name": "ebpf:syscalls", - "channel": "useradd or /etc/passwd modified inside container" - }, - { - "name": "auditd:SYSCALL", - "channel": "Execution of insmod, modprobe, or rmmod commands by non-standard users or outside expected timeframes" - }, { "name": "macos:unifiedlog", "channel": "kextload execution from Terminal or suspicious paths" }, - { - "name": "WinEventLog:PowerShell", - "channel": "Execution of PowerShell without -NoProfile flag" - }, - { - "name": "auditd:EXECVE", - "channel": "Process execution of update-ca-certificates or openssl with suspicious arguments" - }, { "name": "macos:unifiedlog", "channel": "xattr -d com.apple.quarantine or similar removal commands" }, - { - "name": "azure:signinlogs", - "channel": "OperationName=SetDomainAuthentication OR Update-MsolFederatedDomain" - }, - { - "name": "linux:syslog", - "channel": "Sudo or root escalation followed by filesystem mount commands" - }, - { - "name": "WinEventLog:PowerShell", - "channel": "EventCode=4101" - }, - { - "name": "networkdevice:cli", - "channel": "Execution of privileged commands such as 'copy tftp flash', 'boot system', or 'debug memory'" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve syscalls for discovery commands (uname, hostname, id, whoami, ps, netstat, mount) with command-line parameter analysis" - }, - { - "name": "auditd:PROCTITLE", - "channel": "process title records containing discovery command sequences and environmental assessment patterns" - }, { "name": "macos:unifiedlog", "channel": "Security framework operations including keychain access, cryptographic operations, and certificate validation" }, - { - "name": "m365:unified", - "channel": "Set-Mailbox, New-InboxRule" - }, { "name": "macos:unifiedlog", "channel": "None" }, - { - "name": "networkdevice:cli", - "channel": "Execution of commands disabling crypto hardware acceleration (e.g., 'no crypto engine enable')" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Execution of curl, wget, or custom scripts accessing financial endpoints" - }, - { - "name": "auditd:EXECVE", - "channel": "Execution of chattr to set +i or +a attributes" - }, { "name": "macos:unifiedlog", "channel": "Execution of chflags hidden or setfile -a V" }, - { - "name": "esxi:shell", - "channel": "mv, rename, or chmod commands moving VM files into hidden directories" - }, - { - "name": "esxi:hostd", - "channel": "execution + payload hints" - }, - { - "name": "linux:osquery", - "channel": "process_events.command_line" - }, { "name": "macos:unifiedlog", "channel": "process:spawn, process:exec" }, - { - "name": "esxi:vobd", - "channel": "shell session start" - }, - { - "name": "networkdevice:cli", - "channel": "shell command" - }, - { - "name": "WinEventLog:Microsoft-Office-Alerts", - "channel": "Office application warning or alert on macro execution from template" - }, - { - "name": "m365:unified", - "channel": "Set-Mailbox, Set-MailboxPolicy, Set-TrustedLocation" - }, - { - "name": "m365:office", - "channel": "Execution of unsigned macro from template" - }, - { - "name": "linux:cli", - "channel": "Terminal Command History" - }, { "name": "macos:unifiedlog", "channel": "csrutil disable" @@ -1020,138 +924,26 @@ "name": "macos:unifiedlog", "channel": "log show --predicate 'process == '" }, - { - "name": "networkdevice:syslog", - "channel": "Privilege-level command execution" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Execution of tar, gzip, bzip2, or openssl with output redirection" - }, - { - "name": "saas:PRMetadata", - "channel": "Commit message or branch name contains encoded strings or payload indicators" - }, { "name": "macos:unifiedlog", "channel": "Execution of launchctl with setenv or bootout targeting TCC.db or AppleScript under Finder context" }, - { - "name": "esxi:shell", - "channel": "`esxcli software vib install` with `--force` or `--no-sig-check` from shell history or `shell.log`" - }, - { - "name": "AWS:CloudTrail", - "channel": "SendCommand, StartSession, ExecuteCommand: Unexpected AWS Systems Manager command execution targeting EC2 instances" - }, - { - "name": "esxi:vmkernel", - "channel": "Unexpected restarts of management agents or shell access" - }, - { - "name": "auditd:EXECVE", - "channel": "curl or wget with POST/PUT options" - }, - { - "name": "networkdevice:syslog", - "channel": "Detected CLI command to export key material" - }, - { - "name": "networkdevice:config", - "channel": "PKI export or certificate manipulation commands" - }, { "name": "macos:unifiedlog", "channel": "command execution triggered by emond (e.g., shell, curl, python)" }, - { - "name": "esxi:vmkernel", - "channel": "esxcli, vim-cmd invocation" - }, - { - "name": "esxi:shell", - "channel": "CLI session activity" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve=/sbin/shutdown or /sbin/reboot" - }, - { - "name": "esxi:shell", - "channel": "esxcli system shutdown or reboot invoked" - }, - { - "name": "networkdevice:syslog", - "channel": "reload command issued" - }, - { - "name": "auditd:PROCTITLE", - "channel": "command-line execution patterns for system discovery utilities (uname, hostname, ifconfig, netstat, lsof, ps, mount)" - }, - { - "name": "esxi:shell", - "channel": "shell command execution for system discovery (vim-cmd, esxcli, vmware-cmd) targeting VM inventory and host configuration" - }, - { - "name": "vpxd.log", - "channel": "VM inventory queries and configuration enumeration through vCenter API calls" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve calls modifying HISTFILE or HISTCONTROL via unset/export" - }, { "name": "macos:unifiedlog", "channel": "Set or unset HIST* variables in shell environment" }, - { - "name": "esxi:shell", - "channel": "unset HISTFILE or HISTFILESIZE modifications" - }, - { - "name": "networkdevice:cli", - "channel": "Commands like 'no logging' or equivalents that disable session history" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve calls to /usr/bin/locale or shell execution of $LANG" - }, { "name": "macos:unifiedlog", "channel": "defaults read -g AppleLocale or systemsetup -gettimezone" }, - { - "name": "networkdevice:cli", - "channel": "Execution of commands such as 'copy tftp flash', 'boot system ', 'reload'" - }, - { - "name": "auditd:EXECVE", - "channel": "curl -T, rclone copy" - }, - { - "name": "auditd:SYSCALL", - "channel": "execution of systemctl or service with enable/start/modify" - }, { "name": "macos:unifiedlog", "channel": "launchctl load/unload or plist file modification" }, - { - "name": "networkdevice:syslog", - "channel": "syslog facility LOCAL7 or trap messages" - }, - { - "name": "linux:cli", - "channel": "/home/*/.bash_history" - }, - { - "name": "auditd:SYSCALL", - "channel": "execve: Execution of lsmod, modinfo, or cat /proc/modules" - }, - { - "name": "networkdevice:config", - "channel": "Configuration changes referencing 'boot system tftp' or modification of startup-config pointing to external TFTP servers" - }, { "name": "macos:unifiedlog", "channel": "dscl . -create" @@ -1161,8 +953,248 @@ "channel": "Execution of commands like `ls -l@`, `xattr -l`, or custom tools interacting with resource forks" }, { - "name": "esxi:vpxd", - "channel": "vCenter Management" + "name": "macos:unifiedlog", + "channel": "Execution of osascript, sh, bash, zsh, installer, open" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application spawns shell, command interpreter, or command-executing child process with arguments during command-execution phase" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application spawns Unix shell process or superuser binary such as sh, su, toybox, toolbox, or shell-like child process with parameters during execution phase" + }, + { + "name": "networkdevice:cli", + "channel": "CLI command" + }, + { + "name": "networkdevice:cli", + "channel": "Policy Update" + }, + { + "name": "networkdevice:cli", + "channel": "ip ssh pubkey-chain" + }, + { + "name": "networkdevice:cli", + "channel": "erase flash:, erase startup-config, format disk" + }, + { + "name": "networkdevice:cli", + "channel": "CLI command logs" + }, + { + "name": "networkdevice:cli", + "channel": "cmd: cmd=show clock detail" + }, + { + "name": "networkdevice:cli", + "channel": "Execution of commands to load, copy, or replace system images (e.g., 'copy tftp flash', 'boot system')" + }, + { + "name": "networkdevice:cli", + "channel": "None" + }, + { + "name": "networkdevice:cli", + "channel": "Execution of commands like 'show running-config', 'copy running-config', or 'export config'" + }, + { + "name": "networkdevice:cli", + "channel": "Execution of CLI commands altering crypto parameters (e.g., 'crypto key generate rsa modulus 512')" + }, + { + "name": "networkdevice:cli", + "channel": "format flash:, format disk, reformat commands" + }, + { + "name": "networkdevice:cli", + "channel": "erase flash:, erase nvram:, format disk" + }, + { + "name": "networkdevice:cli", + "channel": "command logs" + }, + { + "name": "networkdevice:cli", + "channel": "command logging" + }, + { + "name": "networkdevice:cli", + "channel": "Interface commands" + }, + { + "name": "networkdevice:cli", + "channel": "Execution of privileged commands such as 'copy tftp flash', 'boot system', or 'debug memory'" + }, + { + "name": "networkdevice:cli", + "channel": "Execution of commands disabling crypto hardware acceleration (e.g., 'no crypto engine enable')" + }, + { + "name": "networkdevice:cli", + "channel": "shell command" + }, + { + "name": "networkdevice:cli", + "channel": "Commands like 'no logging' or equivalents that disable session history" + }, + { + "name": "networkdevice:cli", + "channel": "Execution of commands such as 'copy tftp flash', 'boot system ', 'reload'" + }, + { + "name": "networkdevice:config", + "channel": "PKI export or certificate manipulation commands" + }, + { + "name": "networkdevice:config", + "channel": "Configuration changes referencing 'boot system tftp' or modification of startup-config pointing to external TFTP servers" + }, + { + "name": "networkdevice:Firewall", + "channel": "Audit trail or CLI/API access indicating commands like no access-list, delete rule-set, clear config" + }, + { + "name": "networkdevice:syslog", + "channel": "Command Audit / Configuration Change" + }, + { + "name": "networkdevice:syslog", + "channel": "eventlog" + }, + { + "name": "networkdevice:syslog", + "channel": "command_exec" + }, + { + "name": "networkdevice:syslog", + "channel": "command-exec: CLI commands containing \"show clock\", \"show clock detail\", \"show timezone\" executed by suspicious user/source" + }, + { + "name": "networkdevice:syslog", + "channel": "cmd='show aaa*' OR 'show running-config | include password|aaa' OR 'show aaa common-criteria policy all'" + }, + { + "name": "networkdevice:syslog", + "channel": "CLI command audit" + }, + { + "name": "networkdevice:syslog", + "channel": "system boot logs" + }, + { + "name": "networkdevice:syslog", + "channel": "exec command='monitor capture'" + }, + { + "name": "networkdevice:syslog", + "channel": "no logging buffered, no aaa new-model, disable firewall" + }, + { + "name": "networkdevice:syslog", + "channel": "interactive shell logging" + }, + { + "name": "networkdevice:syslog", + "channel": "command sequence: erase \u2192 format \u2192 reload" + }, + { + "name": "networkdevice:syslog", + "channel": "CLI Command Logging" + }, + { + "name": "networkdevice:syslog", + "channel": "CLI Command Audit" + }, + { + "name": "networkdevice:syslog", + "channel": "command audit" + }, + { + "name": "networkdevice:syslog", + "channel": "Privilege-level command execution" + }, + { + "name": "networkdevice:syslog", + "channel": "Detected CLI command to export key material" + }, + { + "name": "networkdevice:syslog", + "channel": "reload command issued" + }, + { + "name": "networkdevice:syslog", + "channel": "syslog facility LOCAL7 or trap messages" + }, + { + "name": "saas:PRMetadata", + "channel": "Commit message or branch name contains encoded strings or payload indicators" + }, + { + "name": "vpxd.log", + "channel": "VM inventory queries and configuration enumeration through vCenter API calls" + }, + { + "name": "WinEventLog:Microsoft-Office-Alerts", + "channel": "Unexpected DLL or component loaded at Office startup" + }, + { + "name": "WinEventLog:Microsoft-Office-Alerts", + "channel": "Office application warning or alert on macro execution from template" + }, + { + "name": "WinEventLog:Microsoft-Office/OutlookAddinMonitor", + "channel": "Outlook loading add-in via unexpected load path or non-default profile context" + }, + { + "name": "WinEventLog:PowerShell", + "channel": "Get-ADTrust|GetAllTrustRelationships" + }, + { + "name": "WinEventLog:PowerShell", + "channel": "EventCode=4103, 4104, 4105, 4106" + }, + { + "name": "WinEventLog:PowerShell", + "channel": "Execution of Microsoft script to enumerate custom forms in Outlook mailbox" + }, + { + "name": "WinEventLog:PowerShell", + "channel": "CommandLine=copy-item or robocopy from UNC path" + }, + { + "name": "WinEventLog:PowerShell", + "channel": "PowerShell launched from outlook.exe or triggered without user invocation" + }, + { + "name": "WinEventLog:PowerShell", + "channel": "Execution of PowerShell script to enumerate or remove malicious Home Page folder config" + }, + { + "name": "WinEventLog:PowerShell", + "channel": "Exchange Cmdlets" + }, + { + "name": "WinEventLog:PowerShell", + "channel": "CmdletName: Get-Recipient, Get-User" + }, + { + "name": "WinEventLog:PowerShell", + "channel": "Execution of 'Get-WmiObject Win32_Product' or similar PowerShell cmdlets" + }, + { + "name": "WinEventLog:PowerShell", + "channel": "Execution of PowerShell without -NoProfile flag" + }, + { + "name": "WinEventLog:PowerShell", + "channel": "EventCode=4101" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=4103, 4104, 4105, 4106" } ] } diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c.json index b11acf8dbc..c32e7b89e2 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b5adf834-35da-4798-8729-39d1f32d77e5", + "id": "bundle--4aca2432-b0e5-4945-96bf-2c05cbd9fc45", "spec_version": "2.0", "objects": [ { @@ -8,6 +8,7 @@ "id": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -18,7 +19,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-16T16:59:19.254Z", "name": "Service Metadata", "description": "Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -113,6 +114,10 @@ { "name": "networkdevice:config", "channel": "write: Startup configuration changes disabling security checks" + }, + { + "name": "auditd:DAEMON", + "channel": "auditd stopped, config changed, logging suspended" } ] } diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc.json index b76329ca3f..5d3eb96d1c 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8dab7814-1afc-4225-ae84-7b224d4a8d9b", + "id": "bundle--ed827f0d-8b56-4bda-add3-1b3857375a3e", "spec_version": "2.0", "objects": [ { @@ -22,7 +22,6 @@ "modified": "2025-11-12T22:03:39.105Z", "name": "Scheduled Job Metadata", "description": "Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.", - "x_mitre_data_source_ref": "", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8.json index 1eacd6c96f..9878c49a1a 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9945a35b-6ceb-4b88-99da-60fdddc7b7fd", + "id": "bundle--9382711e-413b-46a0-9b8e-ced18ebbbe20", "spec_version": "2.0", "objects": [ { @@ -19,16 +19,17 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-16T16:41:53.549Z", "name": "File Modification", "description": "Changes made to a file, including updates to its contents, metadata, access permissions, or attributes. These modifications may indicate legitimate activity (e.g., software updates) or unauthorized changes (e.g., tampering, ransomware, or adversarial modifications). Examples: \n\n- Content Modifications: Changes to the content of a configuration file, such as modifying `/etc/ssh/sshd_config` on Linux or `C:\\Windows\\System32\\drivers\\etc\\hosts` on Windows.\n- Permission Changes: Altering file permissions to allow broader access, such as changing a file from `644` to `777` on Linux or modifying NTFS permissions on Windows.\n- Attribute Modifications: Changing a file's attributes to hidden, read-only, or system on Windows.\n- Timestamp Manipulation: Adjusting a file's creation or modification timestamp using tools like `touch` in Linux or timestomping tools on Windows.\n- Software or System File Changes: Modifying system files such as `boot.ini`, kernel modules, or application binaries.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", - "enterprise-attack" + "enterprise-attack", + "mobile-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { @@ -606,6 +607,30 @@ { "name": "esxi:vmkernel", "channel": "/var/log/vmkernel.log" + }, + { + "name": "AndroidLogs:FileSystem", + "channel": "Modification to /system/etc/init/ or /vendor/etc/init/ boot-time scripts" + }, + { + "name": "iOS:unifiedlog", + "channel": "Creation or modification of LaunchDaemon or LaunchAgent plist in /System/Library/LaunchDaemons, /Library/LaunchDaemons, or /Library/LaunchAgents" + }, + { + "name": "android:logcat", + "channel": "INSERT or UPDATE of image/*, audio/*, video/* via ContentResolver with same URI re-written within short window; abnormal MIME/container change" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application inserts, updates, deletes, hides, or marks message records in SMS store or messaging database immediately after SMS receive or send event" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application inserts, updates, deletes, or rewrites call-log records immediately after call-control action to conceal, alter, or synthesize call history" + }, + { + "name": "auditd:PATH", + "channel": "odification of ~/.ssh/authorized_keys or credential files" } ] } diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d.json index 513b1b38a6..89be67913a 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f67c3e07-2d36-4c6c-a7d0-cf8f8a256a80", + "id": "bundle--c7c61ca1-8d4f-4f91-ad16-ef483ccdb328", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95.json index d9e189a377..7690f8063f 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f33507c1-e8c6-462f-8b42-8e8dbac9931d", + "id": "bundle--f843e272-3739-4f00-be87-706c499c4160", "spec_version": "2.0", "objects": [ { @@ -8,6 +8,7 @@ "id": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", "created": "2022-05-11T16:22:58.802Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -18,7 +19,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-10-21T15:10:28.402Z", + "modified": "2026-04-22T14:51:44.669Z", "name": "Process History/Live Data", "description": "This includes any data stores that maintain historical or real-time events and telemetry recorded from various sensors or devices", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -26,9 +27,13 @@ "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ + { + "name": "Databases", + "channel": "None" + }, { "name": "Operational Databases", "channel": "None" diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json index 78ae038ec0..a14ae2d9a5 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--544ad961-6522-4d7f-a2c1-8dff757a9afe", + "id": "bundle--31095341-fecc-4ae8-9cab-d6a4fa2357c8", "spec_version": "2.0", "objects": [ { @@ -19,7 +19,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-23T18:22:40.476Z", "name": "OS API Execution", "description": "Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -29,7 +29,7 @@ "mobile-attack", "enterprise-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { @@ -307,6 +307,410 @@ { "name": "EDR:file", "channel": "SetFileTime" + }, + { + "name": "AndroidLogs:Kernel", + "channel": "Unprivileged app process (app UID, non-system) invoking sensitive syscalls or device interfaces associated with privilege escalation (setuid, ptrace, perf_event_open, vulnerable drivers)" + }, + { + "name": "android:logcat", + "channel": "SELinux AVC for execmem/execute_no_trans/mprotect following recent writes by same UID" + }, + { + "name": "iOS:unifiedlog", + "channel": "mmap/mprotect transitions to PROT_EXEC for pages associated with recently written files" + }, + { + "name": "android:logcat", + "channel": "QUERY on exported ContentProviders of other packages (content:///*) or MediaStore scoped queries immediately preceding file reads" + }, + { + "name": "android:logcat", + "channel": "ClipboardManager (addOnPrimaryClipChangedListener|getPrimaryClip|getPrimaryClipDescription) invoked by " + }, + { + "name": "android:logcat", + "channel": "AccessibilityService connected|TYPE_VIEW_TEXT_CHANGED|TYPE_VIEW_FOCUSED events for other packages" + }, + { + "name": "android:logcat", + "channel": "TYPE_WINDOW_STATE_CHANGED / TYPE_VIEW_FOCUSED shows foreign target package in foreground" + }, + { + "name": "android:logcat", + "channel": "PackageManager getInstalledApplications|getInstalledPackages|getPackagesHoldingPermissions burst for . TYPE_WINDOW_STATE_CHANGED shows foreground app then immediate package queries by " + }, + { + "name": "iOS:unifiedlog", + "channel": "LSApplicationWorkspace or canOpenURL probe bursts for many URL schemes" + }, + { + "name": "android:logcat", + "channel": "getInstalledPackages/getPackagesHoldingPermissions with filters for known security/MDM/VPN package names. Queries to isDeviceOwnerApp/isProfileOwnerApp/getActiveAdmins/getPermissionGrantState. Requests list of enabled services or monitors TYPE_WINDOW_STATE_CHANGED to time checks" + }, + { + "name": "iOS:unifiedlog", + "channel": "Queries indicating MDM profile presence, supervised state, restrictions read. LSApplicationWorkspace enumeration or app proxy queries referencing security vendors" + }, + { + "name": "android:logcat", + "channel": "ACTION_VIEW redirect_uri handled by unexpected package" + }, + { + "name": "android:logcat", + "channel": "canOpenURL/LSApplicationWorkspace resolved to unexpected bundle for redirect_uri" + }, + { + "name": "android:logcat", + "channel": "query() against MediaStore/DocumentsContract URIs (Images/Video/Audio/Downloads/DocumentTree)" + }, + { + "name": "iOS:unifiedlog", + "channel": "enumeratorForContainerItemIdentifier / itemForIdentifier across multiple containers/providers" + }, + { + "name": "android:logcat", + "channel": "wifiservice startScan / scanResults retrieved repeatedly or by unexpected package" + }, + { + "name": "android:logcat", + "channel": "bluetoothmanager startDiscovery / getBondedDevices / scan callback bursts by package" + }, + { + "name": "android:logcat", + "channel": "telephony cell info enumeration bursts (neighboring/all cell info) by package" + }, + { + "name": "android:logcat", + "channel": "repeated queries or dumps related to running tasks/services/process state by same package/UID (e.g., getRunningAppProcesses, running services/task inspection)" + }, + { + "name": "android:logcat", + "channel": "Application accesses android.os.Build fields or device configuration APIs (MODEL, MANUFACTURER, VERSION.SDK_INT, HARDWARE)" + }, + { + "name": "iOS:unifiedlog", + "channel": "Application invokes UIDevice queries (model, systemVersion, name)" + }, + { + "name": "android:logcat", + "channel": "Invocation of MediaRecorder.start(), AudioRecord.startRecording(), or VOICE_CALL audio source" + }, + { + "name": "iOS:unifiedlog", + "channel": "Invocation of AVAudioRecorder, AVCaptureSession, or related audio capture framework calls" + }, + { + "name": "android:logcat", + "channel": "Application invokes LocationManager, FusedLocationProviderClient, or GPS/location sensor APIs" + }, + { + "name": "iOS:unifiedlog", + "channel": "Application activates CoreLocation services or CLLocationManager APIs" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Framework-based networking usage spikes or uncommon networking stacks observed by agent telemetry (e.g., repeated URLSession/OkHttp-like patterns) without corresponding foreground/user interaction" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Agent-observable telephony subscription/state API signals indicating SIM/eSIM subscription change (vendor-agnostic: 'telephony subscription changed')" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Accessibility framework usage patterns such as event subscription, performAction invocation, node traversal, text change observation, or overlay/window presentation correlated to app identity" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Browser/WebView framework usage indicating external URL load, script execution enablement, file download initiation, intent handoff, or package install prompt sequence" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Observed device-service, trust-service, backup/service interaction, or other privileged framework activity associated with physical host access" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Connectivity manager, telephony, Wi-Fi, network callback, or location-provider framework reports repeated unavailable, disconnected, suspended, or degraded state transitions" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Observed network-path, reachability, DNS, transport, or location-provider framework reports repeated unavailable or failed state near active device use" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Content resolver, document provider, media store, storage access framework, bulk stream processing, or repeated crypto-adjacent framework use observed during multi-file transformation" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Known application begins first-seen or expanded use of content providers, account services, accessibility, package services, cryptographic routines, dynamic loading, or other framework interactions after update/install" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Known application begins first-seen or expanded use of protected frameworks, account services, background task APIs, crypto/network service APIs, or other runtime behaviors after update/install" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Known application begins first-seen or expanded use of account services, accessibility, content providers, dynamic loading, package services, WebView bridges, crypto/network APIs, or advertising/telemetry-adjacent framework behavior after install or update" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Privileged or OEM-context framework/API use tied to telephony, device policy, accessibility, overlay, input injection, package visibility, or protected settings modification from an identity not expected for the device model or approved image" + }, + { + "name": "android:logcat", + "channel": "Invocation of Calendar.set() and Calendar.add()" + }, + { + "name": "iOS:unifiedlog", + "channel": "Supplemental anomaly in baseband, IOKit, accessory, security, or activation-related subsystem logging temporally adjacent to suspicious posture or network behavior" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Recently installed or updated trusted app invokes Android framework paths or special access patterns inconsistent with its role, including accessibility-like behavior, overlay behavior, package visibility expansion, protected settings access, device policy interaction, or unusual IPC/provider access" + }, + { + "name": "iOS:unifiedlog", + "channel": "Supplemental managed app or system subsystem anomalies near install/update, launch services, extension handling, app activation, or background execution temporally adjacent to suspicious network or lifecycle behavior" + }, + { + "name": "MobileEDR:telemetry", + "channel": "App uses Android framework behaviors associated with background work scheduling, network job execution, IPC/provider access, overlay or accessibility-like interaction, or unusual package visibility immediately adjacent to web-service communication" + }, + { + "name": "iOS:unifiedlog", + "channel": "Supplemental launch, background task, networking, or extension-handling anomalies occur temporally adjacent to suspicious web-service communication from a managed app or supervised device" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Background work scheduler, job execution, or persistent service triggered network request to public web-service followed by second outbound connection within TimeWindow" + }, + { + "name": "iOS:unifiedlog", + "channel": "Background task or networking subsystem event occurred immediately before resolver retrieval and pivot connection sequence" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded retrieve-then-write exchange with public web-service platform" + }, + { + "name": "iOS:unifiedlog", + "channel": "Background task, networking, or app-activation subsystem event occurred immediately before or during retrieve-then-write exchange with public web-service platform" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded outbound session using non-standard protocol-to-port pairing" + }, + { + "name": "android:logcat", + "channel": "Invocation of CallLogs.getLastOutgoingCall()" + }, + { + "name": "android:logcat", + "channel": "Invocation of ContactsContract.Contacts.getLookupUri() and/or ContactsContract.Contacts.lookupContact()" + }, + { + "name": "iOS:unifiedlog", + "channel": "Camera, media capture, app-activation, or background-task subsystem event occurred immediately before or during sustained camera session from same managed-app or device context" + }, + { + "name": "android:logcat", + "channel": "Invocation of AccountManager.getAccounts()" + }, + { + "name": "MobileEDR:telemetry", + "channel": "MediaProjection-style screen capture session began from app identity while a different app was foregrounded and capture path was not mapped to approved recording workflow" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Accessibility-service activity from app identity coincided with foreground content observation and subsequent screenshot, frame buffer, or screenrecord artifact behavior within TimeWindow" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Privileged screencap, screenrecord, adb-driven capture, or root-context screen acquisition behavior occurred from app, shell, or elevated identity while foreground app context changed or sensitive app remained active" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Accessibility-enabled app invoked programmatic click or action on behalf of user while a different app was foregrounded and injected action was not mapped to approved accessibility or autofill workflow" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Accessibility-enabled app invoked global action such as back, home, recents, or navigation control while target foreground app context changed within TimeWindow" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Accessibility-enabled app inserted text into active field of different foreground app without user keyboard activity or approved autofill relationship" + }, + { + "name": "MobileEDR:telemetry", + "channel": "App intercepts notification content from external package (e.g., messaging/auth apps) while in background OR without recent user interaction" + }, + { + "name": "MobileEDR:telemetry", + "channel": "App invokes cryptographic functions (e.g., AES/RSA/KeyStore usage) on buffer data followed by encode/transform operations not tied to normal app workflows" + }, + { + "name": "MobileEDR:telemetry", + "channel": "App invokes symmetric encryption routines (e.g., AES/RC4 cipher initialization + encrypt operations) with repeated key usage across multiple data buffers" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Symmetric key material reused across multiple encryption operations within short interval OR derived locally without secure hardware-backed storage" + }, + { + "name": "MobileEDR:telemetry", + "channel": "App invokes asymmetric cryptographic operations (e.g., RSA/ECC keypair generation OR public key encryption OR signature operations) on outbound data buffers" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Keypair generation, import, or access events (public/private key usage) occurring prior to network communication" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application invokes custom TLS trust evaluation logic or pin validation routines (e.g., custom TrustManager, HostnameVerifier override, certificate/public key comparison) immediately before outbound TLS session establishment" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application invokes archive, compression, or bulk-buffer packaging routines on previously accessed local data within the same execution chain" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application encrypts newly created archive or staged data blob after collection and before storage or outbound transfer" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application performs bulk data transformation or packaging-like processing on collected records prior to file creation or upload" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application queries or opens multiple local SQLite or app-associated database stores containing records unrelated to the app's declared function during the collection phase" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application performs repeated record access, container traversal, or local data extraction processing against local stores before staging or transmission" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application calls startForegroundService() or startForeground() / ServiceCompat.startForeground() and transitions to persistent foreground-service execution at the start of the chain" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application invokes direct file retrieval, DownloadManager usage, or streaming write from network response to local storage immediately after remote session establishment" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Managed app performs post-download unpacking, dynamic resource handling, or module preparation immediately after local payload creation" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application loads or resolves native shared library (.so) or JNI bridge immediately before suspicious native execution phase" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application transitions from managed code into JNI/native function execution or attaches native thread to runtime during the execution phase" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Existing application is replaced, updated, or reinstalled and the resulting package metadata, code sections, or executable-supporting artifacts diverge from known-good baseline during the persistence-establishment phase" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application invokes SMS send, intercept, delete, or provider-write behavior, including handling SMS_DELIVER or interacting with SMS content provider during unauthorized message-control phase" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application enqueues WorkManager work request or schedules JobScheduler or AlarmManager task with delay, periodic interval, or execution constraints during the persistence/execution setup phase" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application creates or executes NSBackgroundActivityScheduler activity with repeating or deferred invocation semantics during the scheduling and trigger phases" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application initializes proxy-capable or raw-socket networking constructs, including SOCKS-capable Proxy API usage or direct socket listener/setup immediately before traffic relay phase" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application invokes call placement, answer, redirect, block, screening, or ConnectionService call-handling APIs during unauthorized call-control phase" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application process loads external code modules or injects into runtime (zygote/app_process) + abnormal library loading or method interception behavior" + }, + { + "name": "MobileEDR:telemetry", + "channel": "Application registers broadcast receiver, WorkManager job, JobScheduler task, or intent filter tied to system event such as BOOT_COMPLETED, SMS_RECEIVED, CONNECTIVITY_CHANGE during persistence setup phase" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application registers or invokes broadcast receiver via registerReceiver() or manifest-declared receiver + intent filter tied to system or app events" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application launches or executes code where loaded library or component path does not match application package path or expected signing context" + }, + { + "name": "MobileEDR:telemetry", + "channel": "multiple applications invoking core system APIs (e.g., sensor, permission, telephony) with abnormal or inconsistent return values across apps within short interval" + }, + { + "name": "MobileEDR:telemetry", + "channel": "device integrity degradation + root detected or system partition modification affecting runtime libraries (e.g., /system/lib*, /vendor/lib*)" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application invokes privileged framework APIs (Accessibility events, UI automation, package install flows) immediately following permission grant" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application invokes DevicePolicyManager APIs (e.g., resetPassword, lockNow, setCameraDisabled) immediately following admin activation" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application queries target-selection attributes (e.g., location, SIM/operator, locale, device state, network identity) and then conditionally invokes sensitive framework APIs only after expected value is observed" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application exhibits repeated environment-context evaluation followed by delayed privileged framework use only after target-specific match" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application invokes geolocation or geofencing framework operations (e.g., location polling or geofence registration/evaluation) and sensitive framework activity begins only after region match or location threshold condition" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application exhibits repeated location-context evaluation followed by delayed privileged framework use or feature activation only after target region match" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application invokes package or component state changes affecting launcher-facing activity availability and subsequently continues operational framework activity after icon suppression" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application invokes motion-sensor or device-activity framework operations followed by conditional execution of sensitive framework activity only after inferred user absence" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application invokes system framework operations that alter monitoring, accessibility, or execution visibility followed by reduction in expected telemetry generation" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application invokes accessibility global actions (back/home/recents) or observes package-management UI immediately after uninstall/settings screen becomes foreground" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application invokes lock-related or UI-denial framework operations, including DevicePolicyManager lock actions, persistent overlay behavior, or accessibility-driven navigation interference immediately before device enters locked or unusable state" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application invokes package, settings, or privileged framework operations capable of disabling security software, altering security enforcement, or interfering with reporting before telemetry loss" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application invokes uninstall-related package-management operations, accessibility-driven uninstall confirmation actions, or privileged file-removal operations immediately before installed-state loss" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application invokes file-management, package, storage, or administrative wipe operations immediately before loss of expected local files or file collections" } ] } diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa.json index 7801dab7fa..902bfba76f 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6d8eb86d-e0df-4388-b54f-5305232e413f", + "id": "bundle--696bace7-aee8-4a00-858a-99f482da8869", "spec_version": "2.0", "objects": [ { @@ -19,221 +19,110 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-24T19:46:47.171Z", "name": "Application Log Content", "description": "Application Log Content refers to logs generated by applications or services, providing a record of their activity. These logs may include metrics, errors, performance data, and operational alerts from web, mail, or other applications. These logs are vital for monitoring application behavior and detecting malicious activities or anomalies. Examples: \n\n- Web Application Logs: These logs include information about requests, responses, errors, and security events (e.g., unauthorized access attempts).\n- Email Application Logs: Logs contain metadata about emails sent, received, or blocked (e.g., sender/receiver addresses, message IDs).\n- SaaS Application Logs: Activity logs include user logins, configuration changes, and access to sensitive resources.\n- Cloud Application Logs: Logs detail control plane activities, including API calls, instance modifications, and network changes.\n- System/Application Monitoring Logs: Logs provide insights into application performance, errors, and anomalies.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", - "enterprise-attack" + "enterprise-attack", + "mobile-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ + { + "name": "android:logcat", + "channel": "Default IME active or bound to (InputMethodManager reports imeId=)" + }, + { + "name": "android:logcat", + "channel": "Default IME changed/active: imeId=, onStartInput/onFinishInput high frequency. TYPE_APPLICATION_OVERLAY|addView .* showing on top of package " + }, + { + "name": "android:logcat", + "channel": "Default IME active imeId=; frequent onStartInput/commitText calls" + }, + { + "name": "android:logcat", + "channel": "addView TYPE_APPLICATION_OVERLAY|TYPE_APPLICATION_ATTACHED_DIALOG shown over " + }, + { + "name": "android:logcat", + "channel": "Secure/Global reads of device_policy_manager, accessibility_enabled, default_vpn, always_on_vpn" + }, + { + "name": "android:logcat", + "channel": "Task switch from browser/custom tab to handler immediately after OAuth return" + }, + { + "name": "android:logcat", + "channel": "ACTION_OPEN_DOCUMENT_TREE / ACTION_OPEN_DOCUMENT invoked without user gesture or repeatedly in background" + }, { "name": "Application Log", "channel": "None" }, - { - "name": "WinEventLog:Application", - "channel": "Outlook errors loading or processing custom form templates" - }, - { - "name": "m365:unified", - "channel": "Unusual form activity within Outlook client, including load of non-default forms" - }, - { - "name": "saas:okta", - "channel": "Conditional Access policy rule modified or MFA requirement disabled" - }, - { - "name": "ApplicationLog:EntraIDPortal", - "channel": "DeviceRegistration events" - }, - { - "name": "ApplicationLog:Intune/MDM Logs", - "channel": "Enrollment events (e.g., MDMDeviceRegistration)" - }, - { - "name": "m365:purview", - "channel": "MailItemsAccessed & Exchange Audit" - }, - { - "name": "m365:purview", - "channel": "MailItemsAccessed, Search-Mailbox events" - }, - { - "name": "WinEventLog:Application", - "channel": "Office Add-in load errors, abnormal loading context, or unsigned add-in warnings" - }, - { - "name": "m365:unified", - "channel": "SendOnBehalf, MessageSend, ClickThrough, MailItemsAccessed" - }, { "name": "Application:Mail", "channel": "smtpd$.*$: .*from=[.*@internaldomain.com](mailto:.*@internaldomain.com) to=[.*@internaldomain.com](mailto:.*@internaldomain.com)" }, - { - "name": "saas:slack", - "channel": "file_upload, message_send, message_click" - }, - { - "name": "saas:teams", - "channel": "ChatMessageSent, ChatMessageEdited, LinkClick" - }, - { - "name": "saas:gmail", - "channel": "SendEmail, OpenAttachment, ClickLink" - }, - { - "name": "m365:unified", - "channel": "SendOnBehalf, MessageSend, AttachmentPreviewed" - }, - { - "name": "WinEventLog:System", - "channel": "Changes to applicationhost.config or DLLs loaded by w3wp.exe" - }, - { - "name": "WinEventLog:Security", - "channel": "EventCode=6416" - }, - { - "name": "WinEventLog:System", - "channel": "Device started/installed (UMDF) GUIDs" - }, - { - "name": "linux:syslog", - "channel": "usb * new|thunderbolt|pci .* added|block.*: new .* device" - }, - { - "name": "macos:unifiedlog", - "channel": "Device attached|enumerated VID/PID" - }, - { - "name": "m365:unified", - "channel": "Send/Receive: Emails with suspicious sender domains, spoofed headers, or anomalous attachment types" - }, { "name": "Application:Mail", "channel": "Inbound messages with anomalous headers, spoofed SPF/DKIM failures" }, - { - "name": "macos:unifiedlog", - "channel": "Inbound email activity with suspicious domains or mismatched sender information" - }, - { - "name": "m365:unified", - "channel": "FileAccessed: Access of email attachments by Office applications" - }, - { - "name": "saas:collaboration", - "channel": "MessagePosted: Suspicious links or attachment delivery via collaboration tools (Slack, Teams, Zoom)" - }, - { - "name": "ApplicationLog:IIS", - "channel": "IIS W3C logs in C:\\inetpub\\logs\\LogFiles\\W3SVC* (spikes in 5xx, RCE/SQLi/path traversal/JNDI patterns)" - }, - { - "name": "ApplicationLog:WebServer", - "channel": "/var/log/httpd/access_log, /var/log/apache2/access.log, /var/log/nginx/access.log with exploit indicators and burst errors" - }, - { - "name": "macos:unifiedlog", - "channel": "App/web server logs ingested via unified logging or filebeat (nginx/apache/node)." - }, - { - "name": "ApplicationLog:Ingress", - "channel": "Kubernetes NGINX/Envoy ingress controller logs with anomalous payloads and 5xx spikes" - }, - { - "name": "esxi:hostd", - "channel": "/var/log/hostd.log anomalies (faults, crashes, restarts) around inbound connections" - }, - { - "name": "esxi:vmkernel", - "channel": "vmkernel / OpenSLP logs for malformed requests" - }, - { - "name": "networkdevice:controlplane", - "channel": "Syslog from edge devices with HTTP 500s on mgmt portal, SmartInstall events, unexpected CLI commands" - }, - { - "name": "WinEventLog:Application", - "channel": "Outlook rule execution failure or abnormal rule execution context" - }, - { - "name": "m365:unified", - "channel": "Creation or modification of inbox rule outside of normal user behavior" - }, - { - "name": "m365:unified", - "channel": "Send/Receive: Inbound emails containing embedded or shortened URLs" - }, { "name": "Application:Mail", "channel": "Inbound emails containing hyperlinks from suspicious sources" }, { - "name": "macos:unifiedlog", - "channel": "Received messages with embedded or shortened URLs" + "name": "Application:Mail", + "channel": "Inbound email attachments logged from MTAs with suspicious metadata" }, { - "name": "azure:signinlogs", - "channel": "ConsentGrant: Suspicious consent grants to non-approved or unknown applications" + "name": "Application:Mail", + "channel": "Mismatch between authenticated username and From header in email" }, { - "name": "m365:unified", - "channel": "AppRegistration: Unexpected application registration or OAuth authorization" + "name": "Application:Mail", + "channel": "High-frequency inbound mail activity to a specific recipient address" }, { - "name": "m365:unified", - "channel": "MessageSend, MessageRead, or FileAttached events containing credential-like patterns" + "name": "ApplicationLog:API", + "channel": "Docker/Kubernetes API access from external sources" }, { - "name": "m365:exchange", - "channel": "Emails containing cleartext secrets (password=, api_key=, token=) shared across internal/external domains" + "name": "ApplicationLog:CallRecords", + "channel": "Outbound or inbound calls to high-risk or blocklisted numbers" }, { - "name": "saas:slack", - "channel": "chat.postMessage, files.upload, or discovery API calls involving token/credential regex" + "name": "ApplicationLog:EntraIDPortal", + "channel": "DeviceRegistration events" }, { - "name": "linux:syslog", - "channel": "Inbound messages from webmail services containing attachments or URLs" + "name": "ApplicationLog:IIS", + "channel": "IIS W3C logs in C:\\inetpub\\logs\\LogFiles\\W3SVC* (spikes in 5xx, RCE/SQLi/path traversal/JNDI patterns)" }, { - "name": "macos:unifiedlog", - "channel": "Received messages containing embedded links or attachments from non-enterprise services" + "name": "ApplicationLog:Ingress", + "channel": "Kubernetes NGINX/Envoy ingress controller logs with anomalous payloads and 5xx spikes" }, { - "name": "WinEventLog:System", - "channel": "EventCode=1000" + "name": "ApplicationLog:Intune/MDM Logs", + "channel": "Enrollment events (e.g., MDMDeviceRegistration)" }, { - "name": "linux:syslog", - "channel": "kernel|systemd messages indicating 'segmentation fault'|'core dumped'|'service terminated unexpectedly' for sshd, smbd, vsftpd, mysqld, httpd, etc." + "name": "ApplicationLog:MailServer", + "channel": "Unexpected additions of sieve rules or filtering directives" }, { - "name": "esxi:hostd", - "channel": "Keywords: 'Backtrace','Signal 11','PANIC','hostd restarted','assert' or 'Service terminated unexpectedly' in /var/log/hostd.log, /var/log/vmkernel.log, /var/log/syslog.log." + "name": "ApplicationLog:Outlook", + "channel": "Outlook client-level rule creation actions not consistent with normal user activity" }, { - "name": "macos:unifiedlog", - "channel": "process 'crashed'|'EXC_BAD_ACCESS' for sshd, screensharingd, httpd; launchd restarts of these daemons." - }, - { - "name": "esxi:hostd", - "channel": "unexpected script/command invocations via hostd" - }, - { - "name": "linux:syslog", - "channel": "System daemons initiating encrypted sessions with unexpected destinations" - }, - { - "name": "esxi:vpxd", - "channel": "Symmetric crypto routines triggered for external session" + "name": "ApplicationLog:WebServer", + "channel": "/var/log/httpd/access_log, /var/log/apache2/access.log, /var/log/nginx/access.log with exploit indicators and burst errors" }, { "name": "AWS:CloudTrail", @@ -244,228 +133,248 @@ "channel": "InvokeModel" }, { - "name": "saas:openai", - "channel": "High volume of requests to /v1/chat/completions or /v1/images/generations" + "name": "AWS:CloudTrail", + "channel": "InvokeFunction: Unexpected or repeated invocation of functions not tied to known workflows" }, { - "name": "m365:unified", - "channel": "Set-Mailbox, Add-InboxRule, RegisterWebhook" + "name": "AWS:CloudTrail", + "channel": "CreateUser|AttachRolePolicy|CreateAccessKey|UpdateAssumeRolePolicy|CreateLoginProfile" }, { - "name": "saas:application", - "channel": "High-frequency invocation of SMS-related API endpoints from publicly accessible OTP or verification forms (e.g., Twilio: SendMessage, Cognito: AdminCreateUser) with irregular destination patterns." + "name": "AWS:CloudTrail", + "channel": "StopLogging, DeleteTrail, UpdateTrail: API calls that disable or modify logging services" }, { - "name": "NSM:Connections", - "channel": "PushNotificationSent" + "name": "AWS:CloudWatch", + "channel": "Repeated crash pattern within container or instance logs" }, { - "name": "saas:okta", - "channel": "MFAChallengeIssued" + "name": "AWS:CloudWatch", + "channel": "Elevated 5xx response rates in application logs or gateway layer" }, { - "name": "WinEventLog:Application", - "channel": "Exchange Transport Service loads unusual .NET assembly or errors upon transport agent execution" + "name": "azure:activity", + "channel": "Add role assignment / ElevateAccess / Create service principal" }, { - "name": "linux:syslog", - "channel": "milter configuration updated, transport rule initialized, unexpected script execution" + "name": "azure:audit", + "channel": "App registrations or consent grants by abnormal users or at unusual times" }, { - "name": "WinEventLog:Application", - "channel": "Unexpected spikes in request volume, application-level errors, or thread pool exhaustion in web or API logs" - }, - { - "name": "linux:syslog", - "channel": "Repetitive HTTP 408, 500, or 503 errors logged within short timeframe" - }, - { - "name": "macos:unifiedlog", - "channel": "opendirectoryd crashes or abnormal authentication errors" - }, - { - "name": "m365:unified", - "channel": "ConsentGranted: Abuse of application integrations to mint tokens bypassing MFA" - }, - { - "name": "WinEventLog:Application", - "channel": "Browser or plugin/application logs showing script errors, plugin enumerations, or unusual extension load events" - }, - { - "name": "linux:syslog", - "channel": "Application or browser logs (webview errors, plugin enumerations) indicating suspicious script evaluation or plugin loads" - }, - { - "name": "macos:unifiedlog", - "channel": "Logs from unifiedlogging that show browser crashes, plugin enumerations, extension installs or errors around the same time as suspicious network fetches" - }, - { - "name": "m365:unified", - "channel": "Application Consent grants, new OAuth client registrations, or unusual admin-level activities executed by a user account shortly after suspected drive-by compromise" - }, - { - "name": "WinEventLog:Application", - "channel": "Outlook logs indicating failure to load or render HTML page in Home Page view" - }, - { - "name": "m365:unified", - "channel": "Folder configuration updated with external or HTML-formatted Home Page via Set-MailboxFolder" - }, - { - "name": "WinEventLog:Security", - "channel": "EventCode=1102" - }, - { - "name": "linux:cli", - "channel": "cleared or truncated .bash_history" - }, - { - "name": "macos:unifiedlog", - "channel": "log stream cleared or truncated" - }, - { - "name": "m365:unified", - "channel": "PurgeAuditLogs, Remove-MailboxAuditLog" - }, - { - "name": "WinEventLog:System", - "channel": "EventCode=104" - }, - { - "name": "WinEventLog:Application", - "channel": "EventCode=1000" - }, - { - "name": "EDR:detection", - "channel": "ThreatDetected, QuarantineLog" - }, - { - "name": "macos:unifiedlog", - "channel": "quarantine or AV-related subsystem" - }, - { - "name": "EDR:detection", - "channel": "ThreatLog" + "name": "azure:signinlogs", + "channel": "ConsentGrant: Suspicious consent grants to non-approved or unknown applications" }, { "name": "azure:signinlogs", "channel": "Modify Conditional Access Policy" }, { - "name": "m365:unified", - "channel": "Set-CsOnlineUser or UpdateAuthPolicy" + "name": "azure:signinlogs", + "channel": "Register PTA Agent or Modify AD FS trust" }, { - "name": "m365:unified", - "channel": "New-InboxRule or Set-InboxRule events recorded in Exchange Online" - }, - { - "name": "ApplicationLog:MailServer", - "channel": "Unexpected additions of sieve rules or filtering directives" - }, - { - "name": "m365:unified", - "channel": "Transport rule or inbox rule creation events" - }, - { - "name": "ApplicationLog:Outlook", - "channel": "Outlook client-level rule creation actions not consistent with normal user activity" - }, - { - "name": "kubernetes:orchestrator", - "channel": "Access to orchestrator logs containing credentials (Docker/Kubernetes logs)" - }, - { - "name": "WinEventLog:Application", - "channel": "Service crash, unhandled exception, or application hang warnings for critical services (e.g., IIS, DNS, SQL Server)" - }, - { - "name": "journald:systemd", - "channel": "Repeated service restart attempts or unit failures" - }, - { - "name": "macos:unifiedlog", - "channel": "Repeated process crashes logged by CrashReporter or system instability logs in com.apple.console" - }, - { - "name": "docker:events", - "channel": "Container exited with non-zero code repeatedly in short period" - }, - { - "name": "WinEventLog:Application", - "channel": "SCCM, Intune logs" - }, - { - "name": "macos:jamf", - "channel": "RemoteCommandExecution" - }, - { - "name": "networkdevice:syslog", - "channel": "config push events" - }, - { - "name": "linux:syslog", - "channel": "processes binding to non-standard ports or sshd configured on unexpected port" - }, - { - "name": "m365:unified", - "channel": "GAL Lookup or Address Book download" - }, - { - "name": "esxi:hostd", - "channel": "Guest Operations API invocation: StartProgramInGuest, ListProcessesInGuest, ListFileInGuest, InitiateFileTransferFromGuest" - }, - { - "name": "m365:unified", - "channel": "Send/Receive: Inbound emails with attachments from suspicious or spoofed senders" - }, - { - "name": "Application:Mail", - "channel": "Inbound email attachments logged from MTAs with suspicious metadata" - }, - { - "name": "macos:unifiedlog", - "channel": "Inbound messages with attachments from suspicious domains" - }, - { - "name": "WinEventLog:Application", - "channel": "Unexpected web application errors or CMS logs showing modification to index.html, default.aspx, or other public-facing files" - }, - { - "name": "m365:unified", - "channel": "certificate added or modified in application credentials" - }, - { - "name": "saas:Snowflake", - "channel": "QUERY: Large or repeated SELECT * queries to sensitive tables" - }, - { - "name": "saas:Airtable", - "channel": "EXPORT: User-triggered data export via GUI or API" - }, - { - "name": "ApplicationLog:CallRecords", - "channel": "Outbound or inbound calls to high-risk or blocklisted numbers" - }, - { - "name": "networkdevice:syslog", - "channel": "SIP REGISTER, INVITE, or unusual call destination metadata" - }, - { - "name": "macos:unifiedlog", - "channel": "Outgoing or incoming calls with non-standard caller IDs or unusual metadata" - }, - { - "name": "m365:unified", - "channel": "Unusual MFA requests or OAuth consent events temporally aligned with user-reported vishing call" + "name": "azure:signinlogs", + "channel": "Resource access initiated using application credentials, not user accounts" }, { "name": "docker:daemon", "channel": "container_create,container_start" }, { - "name": "saas:github", - "channel": "Bulk access to multiple files or large volume of repo requests within short time window" + "name": "docker:events", + "channel": "Container exited with non-zero code repeatedly in short period" + }, + { + "name": "docker:runtime", + "channel": "execution of cloud CLI tool (e.g., aws, az) inside container" + }, + { + "name": "EDR:detection", + "channel": "ThreatDetected, QuarantineLog" + }, + { + "name": "EDR:detection", + "channel": "ThreatLog" + }, + { + "name": "esxi:esxupdate", + "channel": "/var/log/esxupdate.log contains VIB installed with `--force` or `--no-sig-check` and non-standard acceptance levels" + }, + { + "name": "esxi:hostd", + "channel": "/var/log/hostd.log anomalies (faults, crashes, restarts) around inbound connections" + }, + { + "name": "esxi:hostd", + "channel": "Keywords: 'Backtrace','Signal 11','PANIC','hostd restarted','assert' or 'Service terminated unexpectedly' in /var/log/hostd.log, /var/log/vmkernel.log, /var/log/syslog.log." + }, + { + "name": "esxi:hostd", + "channel": "unexpected script/command invocations via hostd" + }, + { + "name": "esxi:hostd", + "channel": "Guest Operations API invocation: StartProgramInGuest, ListProcessesInGuest, ListFileInGuest, InitiateFileTransferFromGuest" + }, + { + "name": "esxi:hostd", + "channel": "unexpected script invocations producing long encoded strings" + }, + { + "name": "esxi:hostd", + "channel": "Host daemon command log entries related to vib enumeration" + }, + { + "name": "esxi:hostd", + "channel": "New extension/module install with unknown vendor ID" + }, + { + "name": "esxi:vmkernel", + "channel": "vmkernel / OpenSLP logs for malformed requests" + }, + { + "name": "esxi:vpxd", + "channel": "Symmetric crypto routines triggered for external session" + }, + { + "name": "esxi:vpxd", + "channel": "ESXi process initiating asymmetric handshake with external host" + }, + { + "name": "gcp:workspaceaudit", + "channel": "SendAs: Outbound messages with alias identities that differ from primary account" + }, + { + "name": "iOS:unifiedlog", + "channel": "Repeated or large UIPasteboard reads; background pasteboard access shortly before packaging" + }, + { + "name": "iOS:unifiedlog", + "channel": "UIPasteboard read (general/string/data) by ; repeated reads or background access" + }, + { + "name": "iOS:unifiedlog", + "channel": "UIWindow/UIView events indicating secure text entry focus, editingChanged bursts, unexpected firstResponder cycling" + }, + { + "name": "iOS:unifiedlog", + "channel": "Secure text entry focus and editingChanged bursts not typical for the app" + }, + { + "name": "iOS:unifiedlog", + "channel": "Presentation of credential-like view (UIAlertController with text fields / custom modal) not backed by system auth controller; frequent editingChanged in secureTextEntry fields" + }, + { + "name": "iOS:unifiedlog", + "channel": "Repeated canOpenURL checks across diverse schemes (\u2265N within short window)" + }, + { + "name": "iOS:unifiedlog", + "channel": "UIDocumentPickerViewController presented repeatedly without foreground interaction or with short dwell time" + }, + { + "name": "iOS:unifiedlog", + "channel": "repeated sandbox denials related to restricted process/system interfaces consistent with process-table querying attempts" + }, + { + "name": "iOS:unifiedlog", + "channel": "security-relevant kernel log messages indicating restricted system interface access attempts by app process (device-dependent visibility)" + }, + { + "name": "journald:Application", + "channel": "Segfault or crash log entry associated with specific application binary" + }, + { + "name": "journald:systemd", + "channel": "Repeated service restart attempts or unit failures" + }, + { + "name": "kubernetes:orchestrator", + "channel": "Access to orchestrator logs containing credentials (Docker/Kubernetes logs)" + }, + { + "name": "linux:cli", + "channel": "cleared or truncated .bash_history" + }, + { + "name": "linux:syslog", + "channel": "usb * new|thunderbolt|pci .* added|block.*: new .* device" + }, + { + "name": "linux:syslog", + "channel": "Inbound messages from webmail services containing attachments or URLs" + }, + { + "name": "linux:syslog", + "channel": "kernel|systemd messages indicating 'segmentation fault'|'core dumped'|'service terminated unexpectedly' for sshd, smbd, vsftpd, mysqld, httpd, etc." + }, + { + "name": "linux:syslog", + "channel": "System daemons initiating encrypted sessions with unexpected destinations" + }, + { + "name": "linux:syslog", + "channel": "milter configuration updated, transport rule initialized, unexpected script execution" + }, + { + "name": "linux:syslog", + "channel": "Repetitive HTTP 408, 500, or 503 errors logged within short timeframe" + }, + { + "name": "linux:syslog", + "channel": "Application or browser logs (webview errors, plugin enumerations) indicating suspicious script evaluation or plugin loads" + }, + { + "name": "linux:syslog", + "channel": "processes binding to non-standard ports or sshd configured on unexpected port" + }, + { + "name": "linux:syslog", + "channel": "system daemons initiating TLS sessions outside expected services" + }, + { + "name": "linux:syslog", + "channel": "browser/office crash, segfault, abnormal termination" + }, + { + "name": "linux:syslog", + "channel": "Error/warning logs from services indicating load spike or worker exhaustion" + }, + { + "name": "linux:syslog", + "channel": "SPF fail OR DKIM fail OR DMARC fail OR mismatched from_domain vs return_path_domain" + }, + { + "name": "linux:syslog", + "channel": "suspicious DHCP lease assignment with unexpected DNS or gateway" + }, + { + "name": "linux:syslog", + "channel": "opened document|clicked link|segfault|abnormal termination|sandbox" + }, + { + "name": "linux:syslog", + "channel": "Authentication attempts into finance-related servers from unusual IPs or times" + }, + { + "name": "linux:syslog", + "channel": "sshd sessions with unusual port forwarding parameters" + }, + { + "name": "linux:syslog", + "channel": "Non-standard processes negotiating SSL/TLS key exchanges" + }, + { + "name": "linux:syslog", + "channel": "Module registration or stacktrace logs indicating segmentation faults or unknown module errors" + }, + { + "name": "linux:syslog", + "channel": "Segfaults, kernel oops, or crashes in security software processes" + }, + { + "name": "m365:exchange", + "channel": "Emails containing cleartext secrets (password=, api_key=, token=) shared across internal/external domains" }, { "name": "m365:exchange", @@ -476,33 +385,137 @@ "channel": "Admin Audit Logs, Transport Rules" }, { - "name": "saas:application", - "channel": "High-volume API calls or traffic via messaging or webhook service" + "name": "m365:exchange", + "channel": "MailDelivery: High-frequency delivery of messages or attachments to a single recipient" + }, + { + "name": "m365:exchange", + "channel": "New-InboxRule: Automation that triggers abnormal forwarding or external link generation" + }, + { + "name": "m365:exchange", + "channel": "MessageTrace logs" + }, + { + "name": "m365:exchange", + "channel": "External sender message followed by user action involving links or attachments" + }, + { + "name": "m365:mailboxaudit", + "channel": "Outlook rule creation or custom form deployment" + }, + { + "name": "m365:messagetrace", + "channel": "AuthenticationDetails=fail OR SPF=fail OR DKIM=fail OR DMARC=fail" + }, + { + "name": "m365:messagetrace", + "channel": "X-MS-Exchange-Organization-AutoForwarded" + }, + { + "name": "m365:purview", + "channel": "MailItemsAccessed & Exchange Audit" + }, + { + "name": "m365:purview", + "channel": "MailItemsAccessed, Search-Mailbox events" + }, + { + "name": "m365:teams", + "channel": "External chat request or new tenant communication preceding approval activity" + }, + { + "name": "m365:unified", + "channel": "Unusual form activity within Outlook client, including load of non-default forms" + }, + { + "name": "m365:unified", + "channel": "SendOnBehalf, MessageSend, ClickThrough, MailItemsAccessed" + }, + { + "name": "m365:unified", + "channel": "SendOnBehalf, MessageSend, AttachmentPreviewed" + }, + { + "name": "m365:unified", + "channel": "Send/Receive: Emails with suspicious sender domains, spoofed headers, or anomalous attachment types" + }, + { + "name": "m365:unified", + "channel": "FileAccessed: Access of email attachments by Office applications" + }, + { + "name": "m365:unified", + "channel": "Creation or modification of inbox rule outside of normal user behavior" + }, + { + "name": "m365:unified", + "channel": "Send/Receive: Inbound emails containing embedded or shortened URLs" + }, + { + "name": "m365:unified", + "channel": "AppRegistration: Unexpected application registration or OAuth authorization" + }, + { + "name": "m365:unified", + "channel": "MessageSend, MessageRead, or FileAttached events containing credential-like patterns" + }, + { + "name": "m365:unified", + "channel": "Set-Mailbox, Add-InboxRule, RegisterWebhook" + }, + { + "name": "m365:unified", + "channel": "ConsentGranted: Abuse of application integrations to mint tokens bypassing MFA" + }, + { + "name": "m365:unified", + "channel": "Application Consent grants, new OAuth client registrations, or unusual admin-level activities executed by a user account shortly after suspected drive-by compromise" + }, + { + "name": "m365:unified", + "channel": "Folder configuration updated with external or HTML-formatted Home Page via Set-MailboxFolder" + }, + { + "name": "m365:unified", + "channel": "PurgeAuditLogs, Remove-MailboxAuditLog" + }, + { + "name": "m365:unified", + "channel": "Set-CsOnlineUser or UpdateAuthPolicy" + }, + { + "name": "m365:unified", + "channel": "New-InboxRule or Set-InboxRule events recorded in Exchange Online" + }, + { + "name": "m365:unified", + "channel": "Transport rule or inbox rule creation events" + }, + { + "name": "m365:unified", + "channel": "GAL Lookup or Address Book download" + }, + { + "name": "m365:unified", + "channel": "Send/Receive: Inbound emails with attachments from suspicious or spoofed senders" + }, + { + "name": "m365:unified", + "channel": "certificate added or modified in application credentials" + }, + { + "name": "m365:unified", + "channel": "Unusual MFA requests or OAuth consent events temporally aligned with user-reported vishing call" }, { "name": "m365:unified", "channel": "Set federation settings on domain|Set domain authentication|Add federated identity provider" }, - { - "name": "linux:syslog", - "channel": "system daemons initiating TLS sessions outside expected services" - }, { "name": "m365:unified", "channel": "SendOnBehalf/SendAs: Emails sent where the sending identity mismatches account ownership" }, - { - "name": "Application:Mail", - "channel": "Mismatch between authenticated username and From header in email" - }, - { - "name": "macos:unifiedlog", - "channel": "Mail.app or third-party clients sending messages with mismatched From headers" - }, - { - "name": "gcp:workspaceaudit", - "channel": "SendAs: Outbound messages with alias identities that differ from primary account" - }, { "name": "m365:unified", "channel": "Set-MailboxAutoReplyConfiguration: Unexpected rule changes creating impersonated replies" @@ -511,242 +524,34 @@ "name": "m365:unified", "channel": "SendOnBehalf/SendAs: Office Suite initiated messages using impersonated identities" }, - { - "name": "linux:syslog", - "channel": "browser/office crash, segfault, abnormal termination" - }, - { - "name": "macos:unifiedlog", - "channel": "process crash, abort, code signing violations" - }, - { - "name": "saas:okta", - "channel": "WebUI access to administrator dashboard" - }, { "name": "m365:unified", "channel": "Read-only configuration review from GUI" }, - { - "name": "saas:box", - "channel": "User navigated to admin interface" - }, - { - "name": "azure:signinlogs", - "channel": "Register PTA Agent or Modify AD FS trust" - }, { "name": "m365:unified", "channel": "Modify Federation Settings or Update Authentication Policy" }, - { - "name": "saas:okta", - "channel": "Federation configuration update or signing certificate change" - }, - { - "name": "macos:unifiedlog", - "channel": "Configuration profile modified or new profile installed" - }, - { - "name": "journald:Application", - "channel": "Segfault or crash log entry associated with specific application binary" - }, - { - "name": "macos:unifiedlog", - "channel": "Crash log entries for a process receiving malformed input or known exploit patterns" - }, - { - "name": "AWS:CloudWatch", - "channel": "Repeated crash pattern within container or instance logs" - }, - { - "name": "esxi:hostd", - "channel": "unexpected script invocations producing long encoded strings" - }, - { - "name": "docker:runtime", - "channel": "execution of cloud CLI tool (e.g., aws, az) inside container" - }, - { - "name": "WinEventLog:Application", - "channel": "VPN, Citrix, or remote access gateway logs showing external IP addresses" - }, - { - "name": "NSM:Connections", - "channel": "Failed password or accepted password for SSH users" - }, - { - "name": "ApplicationLog:API", - "channel": "Docker/Kubernetes API access from external sources" - }, { "name": "m365:unified", "channel": "Send/Receive: Unusual spikes in inbound messages to a single recipient" }, - { - "name": "Application:Mail", - "channel": "High-frequency inbound mail activity to a specific recipient address" - }, - { - "name": "m365:exchange", - "channel": "MailDelivery: High-frequency delivery of messages or attachments to a single recipient" - }, - { - "name": "macos:unifiedlog", - "channel": "Repetitive inbound email delivery activity logged within a short time window" - }, - { - "name": "saas:confluence", - "channel": "access.content" - }, { "name": "m365:unified", "channel": "PowerShell: Add-MailboxPermission" }, - { - "name": "AWS:CloudTrail", - "channel": "InvokeFunction: Unexpected or repeated invocation of functions not tied to known workflows" - }, - { - "name": "m365:exchange", - "channel": "New-InboxRule: Automation that triggers abnormal forwarding or external link generation" - }, - { - "name": "saas:googledrive", - "channel": "FileOpen / FileAccess: Event-driven script triggering on user file actions" - }, - { - "name": "networkdevice:syslog", - "channel": "Failed authentication requests redirected to non-standard portals" - }, - { - "name": "saas:okta", - "channel": "System API Call: user.read, group.read" - }, - { - "name": "esxi:hostd", - "channel": "Host daemon command log entries related to vib enumeration" - }, { "name": "m365:unified", "channel": "Add-MailboxPermission or Set-ManagementRoleAssignment" }, - { - "name": "WinEventLog:Application", - "channel": "Outlook rule creation, form load, or homepage redirection" - }, - { - "name": "m365:mailboxaudit", - "channel": "Outlook rule creation or custom form deployment" - }, - { - "name": "saas:zoom", - "channel": "unusual web session tokens and automation patterns during login" - }, - { - "name": "WinEventLog:Application", - "channel": "High-frequency errors or hangs from resource-intensive application components (e.g., .NET, IIS, Office Suite)" - }, - { - "name": "linux:syslog", - "channel": "Error/warning logs from services indicating load spike or worker exhaustion" - }, - { - "name": "macos:unifiedlog", - "channel": "Application errors or resource contention from excessive frontend or script invocation" - }, - { - "name": "AWS:CloudWatch", - "channel": "Elevated 5xx response rates in application logs or gateway layer" - }, - { - "name": "m365:messagetrace", - "channel": "AuthenticationDetails=fail OR SPF=fail OR DKIM=fail OR DMARC=fail" - }, - { - "name": "linux:syslog", - "channel": "SPF fail OR DKIM fail OR DMARC fail OR mismatched from_domain vs return_path_domain" - }, - { - "name": "macos:unifiedlog", - "channel": "SPF fail OR DKIM fail OR DMARC fail OR mismatched header vs envelope domains" - }, - { - "name": "saas:email", - "channel": "AuthenticationFailures (SPF/DKIM/DMARC) OR Domain Mismatch" - }, - { - "name": "WinEventLog:System", - "channel": "EventCode=1341, 1342, 1020, 1063" - }, - { - "name": "linux:syslog", - "channel": "suspicious DHCP lease assignment with unexpected DNS or gateway" - }, - { - "name": "macos:unifiedlog", - "channel": "new DHCP configuration with anomalous DNS or router values" - }, - { - "name": "WinEventLog:Application", - "channel": "Exchange logs or header artifacts" - }, - { - "name": "macos:unifiedlog", - "channel": "Mail or AppleScript subsystem" - }, - { - "name": "m365:exchange", - "channel": "MessageTrace logs" - }, - { - "name": "linux:syslog", - "channel": "opened document|clicked link|segfault|abnormal termination|sandbox" - }, - { - "name": "macos:unifiedlog", - "channel": "opened document|clicked link|EXC_BAD_ACCESS|abort|LSQuarantine" - }, - { - "name": "WinEventLog:Security", - "channel": "EventCode=4663, 4670, 4656" - }, { "name": "m365:unified", "channel": "Set-PartnerOfRecord / CompanyAdministrator role assignments / New-DelegatedAdminRelationship" }, - { - "name": "AWS:CloudTrail", - "channel": "CreateUser|AttachRolePolicy|CreateAccessKey|UpdateAssumeRolePolicy|CreateLoginProfile" - }, - { - "name": "azure:activity", - "channel": "Add role assignment / ElevateAccess / Create service principal" - }, - { - "name": "saas:googleworkspace", - "channel": "OAuth2 authorization grants / Admin role assignments" - }, { "name": "m365:unified", "channel": "Add-DelegatedAdmin, Set-PartnerOfRecord, Add-MailboxPermission, Set-OrganizationRelationship" }, - { - "name": "linux:syslog", - "channel": "Authentication attempts into finance-related servers from unusual IPs or times" - }, - { - "name": "macos:unifiedlog", - "channel": "Anomalous keychain access attempts targeting payment credentials" - }, - { - "name": "saas:finance", - "channel": "Transaction/Transfer: Unusual or large transactions initiated outside business hours or by unusual accounts" - }, - { - "name": "saas:audit", - "channel": "Rule/ConfigChange: Auto-forward rules, delegate assignments, or changes to financial approval workflows" - }, { "name": "m365:unified", "channel": "MailSend: Outlook messages with suspicious subject/body terms (e.g., urgent payment, wire transfer) targeting finance teams" @@ -763,66 +568,10 @@ "name": "m365:unified", "channel": "RunMacro" }, - { - "name": "azure:audit", - "channel": "App registrations or consent grants by abnormal users or at unusual times" - }, - { - "name": "azure:signinlogs", - "channel": "Resource access initiated using application credentials, not user accounts" - }, - { - "name": "saas:slack", - "channel": "OAuth token use by unknown app client_id accessing private channels or files" - }, - { - "name": "esxi:esxupdate", - "channel": "/var/log/esxupdate.log contains VIB installed with `--force` or `--no-sig-check` and non-standard acceptance levels" - }, - { - "name": "linux:syslog", - "channel": "sshd sessions with unusual port forwarding parameters" - }, - { - "name": "saas:audit", - "channel": "Application added or consent granted: Integration persisting after original user disabled" - }, - { - "name": "linux:syslog", - "channel": "Non-standard processes negotiating SSL/TLS key exchanges" - }, - { - "name": "esxi:vpxd", - "channel": "ESXi process initiating asymmetric handshake with external host" - }, - { - "name": "WinEventLog:Application", - "channel": "Unusual DLL/plugin registration for IIS/SQL/Apache or unexpected error logs" - }, - { - "name": "linux:syslog", - "channel": "Module registration or stacktrace logs indicating segmentation faults or unknown module errors" - }, - { - "name": "esxi:hostd", - "channel": "New extension/module install with unknown vendor ID" - }, { "name": "m365:unified", "channel": "FileUploaded or FileCopied events" }, - { - "name": "saas:salesforce", - "channel": "DataExport, RestAPI, Login, ReportExport" - }, - { - "name": "saas:hubspot", - "channel": "contact_viewed, contact_exported, login" - }, - { - "name": "saas:slack", - "channel": "conversations.history, files.list, users.info, audit_logs" - }, { "name": "m365:unified", "channel": "TeamsMessageAccess, TeamsExport, ExternalAppAccess" @@ -836,24 +585,368 @@ "channel": "FileAccessed" }, { - "name": "m365:messagetrace", - "channel": "X-MS-Exchange-Organization-AutoForwarded" + "name": "m365:unified", + "channel": "ApplicationModified, ConsentGranted: Unexpected app consent or modification events linked to security evasion" }, { - "name": "linux:syslog", - "channel": "Segfaults, kernel oops, or crashes in security software processes" + "name": "m365:unified", + "channel": "MailItemsAccessed; AddedInboxRule; ConsentToApplication; SharingSet" + }, + { + "name": "m365:unified", + "channel": "Set-AdminAuditLogConfig;New-ApplicationAccessPolicy;ConsentToApplication" + }, + { + "name": "macos:jamf", + "channel": "RemoteCommandExecution" + }, + { + "name": "macos:unifiedlog", + "channel": "Device attached|enumerated VID/PID" + }, + { + "name": "macos:unifiedlog", + "channel": "Inbound email activity with suspicious domains or mismatched sender information" + }, + { + "name": "macos:unifiedlog", + "channel": "App/web server logs ingested via unified logging or filebeat (nginx/apache/node)." + }, + { + "name": "macos:unifiedlog", + "channel": "Received messages with embedded or shortened URLs" + }, + { + "name": "macos:unifiedlog", + "channel": "Received messages containing embedded links or attachments from non-enterprise services" + }, + { + "name": "macos:unifiedlog", + "channel": "process 'crashed'|'EXC_BAD_ACCESS' for sshd, screensharingd, httpd; launchd restarts of these daemons." + }, + { + "name": "macos:unifiedlog", + "channel": "opendirectoryd crashes or abnormal authentication errors" + }, + { + "name": "macos:unifiedlog", + "channel": "Logs from unifiedlogging that show browser crashes, plugin enumerations, extension installs or errors around the same time as suspicious network fetches" + }, + { + "name": "macos:unifiedlog", + "channel": "log stream cleared or truncated" + }, + { + "name": "macos:unifiedlog", + "channel": "quarantine or AV-related subsystem" + }, + { + "name": "macos:unifiedlog", + "channel": "Repeated process crashes logged by CrashReporter or system instability logs in com.apple.console" + }, + { + "name": "macos:unifiedlog", + "channel": "Inbound messages with attachments from suspicious domains" + }, + { + "name": "macos:unifiedlog", + "channel": "Outgoing or incoming calls with non-standard caller IDs or unusual metadata" + }, + { + "name": "macos:unifiedlog", + "channel": "Mail.app or third-party clients sending messages with mismatched From headers" + }, + { + "name": "macos:unifiedlog", + "channel": "process crash, abort, code signing violations" + }, + { + "name": "macos:unifiedlog", + "channel": "Configuration profile modified or new profile installed" + }, + { + "name": "macos:unifiedlog", + "channel": "Crash log entries for a process receiving malformed input or known exploit patterns" + }, + { + "name": "macos:unifiedlog", + "channel": "Repetitive inbound email delivery activity logged within a short time window" + }, + { + "name": "macos:unifiedlog", + "channel": "Application errors or resource contention from excessive frontend or script invocation" + }, + { + "name": "macos:unifiedlog", + "channel": "SPF fail OR DKIM fail OR DMARC fail OR mismatched header vs envelope domains" + }, + { + "name": "macos:unifiedlog", + "channel": "new DHCP configuration with anomalous DNS or router values" + }, + { + "name": "macos:unifiedlog", + "channel": "Mail or AppleScript subsystem" + }, + { + "name": "macos:unifiedlog", + "channel": "opened document|clicked link|EXC_BAD_ACCESS|abort|LSQuarantine" + }, + { + "name": "macos:unifiedlog", + "channel": "Anomalous keychain access attempts targeting payment credentials" }, { "name": "macos:unifiedlog", "channel": "Abnormal terminations of com.apple.security.* or 3rd-party security daemons" }, { - "name": "AWS:CloudTrail", - "channel": "StopLogging, DeleteTrail, UpdateTrail: API calls that disable or modify logging services" + "name": "networkdevice:controlplane", + "channel": "Syslog from edge devices with HTTP 500s on mgmt portal, SmartInstall events, unexpected CLI commands" }, { - "name": "m365:unified", - "channel": "ApplicationModified, ConsentGranted: Unexpected app consent or modification events linked to security evasion" + "name": "networkdevice:syslog", + "channel": "config push events" + }, + { + "name": "networkdevice:syslog", + "channel": "SIP REGISTER, INVITE, or unusual call destination metadata" + }, + { + "name": "networkdevice:syslog", + "channel": "Failed authentication requests redirected to non-standard portals" + }, + { + "name": "NSM:Connections", + "channel": "PushNotificationSent" + }, + { + "name": "NSM:Connections", + "channel": "Failed password or accepted password for SSH users" + }, + { + "name": "saas:Airtable", + "channel": "EXPORT: User-triggered data export via GUI or API" + }, + { + "name": "saas:application", + "channel": "High-frequency invocation of SMS-related API endpoints from publicly accessible OTP or verification forms (e.g., Twilio: SendMessage, Cognito: AdminCreateUser) with irregular destination patterns." + }, + { + "name": "saas:application", + "channel": "High-volume API calls or traffic via messaging or webhook service" + }, + { + "name": "saas:audit", + "channel": "Rule/ConfigChange: Auto-forward rules, delegate assignments, or changes to financial approval workflows" + }, + { + "name": "saas:audit", + "channel": "Application added or consent granted: Integration persisting after original user disabled" + }, + { + "name": "saas:box", + "channel": "User navigated to admin interface" + }, + { + "name": "saas:collaboration", + "channel": "MessagePosted: Suspicious links or attachment delivery via collaboration tools (Slack, Teams, Zoom)" + }, + { + "name": "saas:confluence", + "channel": "access.content" + }, + { + "name": "saas:email", + "channel": "AuthenticationFailures (SPF/DKIM/DMARC) OR Domain Mismatch" + }, + { + "name": "saas:finance", + "channel": "Transaction/Transfer: Unusual or large transactions initiated outside business hours or by unusual accounts" + }, + { + "name": "saas:github", + "channel": "Bulk access to multiple files or large volume of repo requests within short time window" + }, + { + "name": "saas:gmail", + "channel": "SendEmail, OpenAttachment, ClickLink" + }, + { + "name": "saas:googledrive", + "channel": "FileOpen / FileAccess: Event-driven script triggering on user file actions" + }, + { + "name": "saas:googleworkspace", + "channel": "OAuth2 authorization grants / Admin role assignments" + }, + { + "name": "saas:hubspot", + "channel": "contact_viewed, contact_exported, login" + }, + { + "name": "saas:okta", + "channel": "Conditional Access policy rule modified or MFA requirement disabled" + }, + { + "name": "saas:okta", + "channel": "MFAChallengeIssued" + }, + { + "name": "saas:okta", + "channel": "WebUI access to administrator dashboard" + }, + { + "name": "saas:okta", + "channel": "Federation configuration update or signing certificate change" + }, + { + "name": "saas:okta", + "channel": "System API Call: user.read, group.read" + }, + { + "name": "saas:okta", + "channel": "policy.rule.update;system.log.disable;admin.role.assign" + }, + { + "name": "saas:openai", + "channel": "High volume of requests to /v1/chat/completions or /v1/images/generations" + }, + { + "name": "saas:salesforce", + "channel": "DataExport, RestAPI, Login, ReportExport" + }, + { + "name": "saas:slack", + "channel": "file_upload, message_send, message_click" + }, + { + "name": "saas:slack", + "channel": "chat.postMessage, files.upload, or discovery API calls involving token/credential regex" + }, + { + "name": "saas:slack", + "channel": "OAuth token use by unknown app client_id accessing private channels or files" + }, + { + "name": "saas:slack", + "channel": "conversations.history, files.list, users.info, audit_logs" + }, + { + "name": "saas:slack", + "channel": "xternal DM or workspace invite preceding credential or approval actions" + }, + { + "name": "saas:Snowflake", + "channel": "QUERY: Large or repeated SELECT * queries to sensitive tables" + }, + { + "name": "saas:teams", + "channel": "ChatMessageSent, ChatMessageEdited, LinkClick" + }, + { + "name": "saas:zoom", + "channel": "unusual web session tokens and automation patterns during login" + }, + { + "name": "saas:zoom", + "channel": "Unexpected contact interaction preceding follow-on admin requests" + }, + { + "name": "WinEventLog:Application", + "channel": "Outlook errors loading or processing custom form templates" + }, + { + "name": "WinEventLog:Application", + "channel": "Office Add-in load errors, abnormal loading context, or unsigned add-in warnings" + }, + { + "name": "WinEventLog:Application", + "channel": "Outlook rule execution failure or abnormal rule execution context" + }, + { + "name": "WinEventLog:Application", + "channel": "Exchange Transport Service loads unusual .NET assembly or errors upon transport agent execution" + }, + { + "name": "WinEventLog:Application", + "channel": "Unexpected spikes in request volume, application-level errors, or thread pool exhaustion in web or API logs" + }, + { + "name": "WinEventLog:Application", + "channel": "Browser or plugin/application logs showing script errors, plugin enumerations, or unusual extension load events" + }, + { + "name": "WinEventLog:Application", + "channel": "Outlook logs indicating failure to load or render HTML page in Home Page view" + }, + { + "name": "WinEventLog:Application", + "channel": "EventCode=1000" + }, + { + "name": "WinEventLog:Application", + "channel": "Service crash, unhandled exception, or application hang warnings for critical services (e.g., IIS, DNS, SQL Server)" + }, + { + "name": "WinEventLog:Application", + "channel": "SCCM, Intune logs" + }, + { + "name": "WinEventLog:Application", + "channel": "Unexpected web application errors or CMS logs showing modification to index.html, default.aspx, or other public-facing files" + }, + { + "name": "WinEventLog:Application", + "channel": "VPN, Citrix, or remote access gateway logs showing external IP addresses" + }, + { + "name": "WinEventLog:Application", + "channel": "Outlook rule creation, form load, or homepage redirection" + }, + { + "name": "WinEventLog:Application", + "channel": "High-frequency errors or hangs from resource-intensive application components (e.g., .NET, IIS, Office Suite)" + }, + { + "name": "WinEventLog:Application", + "channel": "Exchange logs or header artifacts" + }, + { + "name": "WinEventLog:Application", + "channel": "Unusual DLL/plugin registration for IIS/SQL/Apache or unexpected error logs" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=6416" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=1102" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=4663, 4670, 4656" + }, + { + "name": "WinEventLog:System", + "channel": "Changes to applicationhost.config or DLLs loaded by w3wp.exe" + }, + { + "name": "WinEventLog:System", + "channel": "Device started/installed (UMDF) GUIDs" + }, + { + "name": "WinEventLog:System", + "channel": "EventCode=1000" + }, + { + "name": "WinEventLog:System", + "channel": "EventCode=104" + }, + { + "name": "WinEventLog:System", + "channel": "EventCode=1341, 1342, 1020, 1063" } ] } diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5.json index b9e35ab61d..64be1c048e 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7dd56b73-8221-4d4d-ae46-27562f73b93c", + "id": "bundle--1eb9efcb-e685-405b-ae79-18ea74efdbb8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298.json index 079e03def6..0a25715ae8 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6aa11be1-0a8f-467d-9f82-5165fa1e13af", + "id": "bundle--fcdd4de5-15d3-4d2b-90d7-d82416201443", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd.json index b6136e66b9..700351c0fd 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3e001e99-12e8-4c09-be7c-647925ffde9e", + "id": "bundle--9c513e3d-61c7-4367-8866-c17870ab29fc", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json index 28a4728193..1de44afb88 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4fa270d8-36a5-40be-b96d-95cff5a9b559", + "id": "bundle--d2e72372-f5e1-4c42-949a-72329c9a322a", "spec_version": "2.0", "objects": [ { @@ -12,14 +12,14 @@ "external_references": [ { "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datacomponents/DC0078", + "url": "https://attack.mitre.org/data-components/DC0078", "external_id": "DC0078" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-09T17:32:30.362Z", "name": "Network Traffic Flow", "description": "Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -29,7 +29,7 @@ "mobile-attack", "enterprise-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { @@ -651,6 +651,22 @@ { "name": "esxi:vmkernel", "channel": "port 22 access" + }, + { + "name": "TelecomLogs:MobilityEvents", + "channel": "Unexpected location resolution events or abnormal subscriber tracking requests" + }, + { + "name": "TelecomLogs:MobilityEvents", + "channel": "Unexpected subscriber tracking or abnormal mobility/location resolution activity" + }, + { + "name": "NSM:Flow", + "channel": "Application-layer protocol traffic exhibiting beacon-like periodicity, anomalous session structure, or protocol misuse patterns" + }, + { + "name": "NSM:Flow", + "channel": "App-attributed traffic exhibits multi-destination fan-out, sustained session bridging, or SOCKS-like relay behavior inconsistent with normal client-only mobile communication" } ] } diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e.json index 6476e50be5..a1447cda14 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8317636a-ff1b-4a4b-aeb9-9bd824796eb5", + "id": "bundle--75b89ca7-a086-40ad-b4de-cf60f828ddf9", "spec_version": "2.0", "objects": [ { @@ -19,109 +19,70 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-24T19:47:33.610Z", "name": "User Account Authentication", "description": "An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", - "enterprise-attack" + "enterprise-attack", + "mobile-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { - "name": "User Account", - "channel": "None" + "name": "auditd:AUTH", + "channel": "pam_unix or pam_google_authenticator invoked repeatedly within short interval" }, { - "name": "NSM:Flow", - "channel": "TGS-REQ and AS-REQ seen for new user shortly after domain-modifying process" + "name": "auditd:SYSCALL", + "channel": "pam_authenticate, sshd" }, { - "name": "WinEventLog:Security", - "channel": "EventCode=4625" + "name": "auditd:SYSCALL", + "channel": "execution of ssh, scp, or sftp using previously unseen credentials or keys" }, { - "name": "saas:okta", - "channel": "session.impersonation.start" - }, - { - "name": "Okta:SystemLog", - "channel": "eventType: user.authentication.sso, app.oauth2.token.grant" - }, - { - "name": "azure:signinlogs", - "channel": "Success logs from high-risk accounts" - }, - { - "name": "networkdevice:syslog", - "channel": "config access, authentication logs" - }, - { - "name": "ESXiLogs:authlog", - "channel": "Unexpected login followed by encoding commands" - }, - { - "name": "saas:okta", - "channel": "Unusual OAuth app requesting message-read scopes for Slack/Teams/Jira" - }, - { - "name": "NSM:Connections", - "channel": "Accepted password or publickey for user from remote IP" - }, - { - "name": "macos:unifiedlog", - "channel": "successful sudo or authentication for account not normally associated with admin actions" - }, - { - "name": "esxi:vpxa", - "channel": "user login from unexpected IP or non-admin user role" - }, - { - "name": "m365:signinlogs", - "channel": "Sign-in from anomalous location or impossible travel condition" - }, - { - "name": "networkdevice:syslog", - "channel": "User privilege escalation to level 15/root prior to destructive commands" - }, - { - "name": "networkdevice:syslog", - "channel": "authorization/accounting logs" - }, - { - "name": "WinEventLog:Security", - "channel": "EventCode=4769, 1200, 1202" - }, - { - "name": "linux:syslog", - "channel": "sudo/date/timedatectl execution by non-standard users" - }, - { - "name": "saas:audit", - "channel": "Repeated requests to SMS-generating endpoints using anomalous or new user agents, IP ranges, or geographies." - }, - { - "name": "azure:signinlogs", - "channel": "Multiple MFA challenge requests without successful primary login" + "name": "auditd:USER_LOGIN", + "channel": "USER_AUTH" }, { "name": "AWS:CloudTrail", "channel": "AssumeRole or ConsoleLogin with repeated MFA failures followed by repeated MFA requests" }, { - "name": "auditd:AUTH", - "channel": "pam_unix or pam_google_authenticator invoked repeatedly within short interval" + "name": "AWS:CloudTrail", + "channel": "sts:GetFederationToken" }, { - "name": "WinEventLog:Security", - "channel": "EventCode=4768, 4769, 4770" + "name": "AWS:CloudTrail", + "channel": "AssumeRoleWithWebIdentity" }, { - "name": "NSM:Connections", - "channel": "Repeated failed authentication attempts or replay patterns" + "name": "AWS:CloudTrail", + "channel": "AWS IAM: ListUsers, ListRoles" + }, + { + "name": "AWS:CloudTrail", + "channel": "eventName=ConsoleLogin | eventType=AwsConsoleSignIn" + }, + { + "name": "AWS:CloudTrail", + "channel": "ConsoleLogin or AssumeRole" + }, + { + "name": "AWS:CloudTrail", + "channel": "ConsoleLogin, AssumeRole, ListAccessKeys, CreateUser" + }, + { + "name": "azure:signinlogs", + "channel": "Success logs from high-risk accounts" + }, + { + "name": "azure:signinlogs", + "channel": "Multiple MFA challenge requests without successful primary login" }, { "name": "azure:signinlogs", @@ -131,81 +92,225 @@ "name": "azure:signinlogs", "channel": "SignIn: Sign-ins flagged as atypical (new geographic region, unfamiliar device id) shortly after correlated endpoint/browser compromise times" }, - { - "name": "AWS:CloudTrail", - "channel": "sts:GetFederationToken" - }, - { - "name": "m365:unified", - "channel": "Delegated permission grants without user login event" - }, - { - "name": "saas:salesforce", - "channel": "API login using access_token without login history" - }, - { - "name": "AWS:CloudTrail", - "channel": "AssumeRoleWithWebIdentity" - }, { "name": "azure:signinlogs", "channel": "Operation=UserLogin" }, - { - "name": "esxi:auth", - "channel": "interactive shell or SSH access preceding storage enumeration" - }, - { - "name": "NSM:Connections", - "channel": "Successful login without expected MFA challenge" - }, - { - "name": "macos:unifiedlog", - "channel": "Login success without MFA step" - }, - { - "name": "kubernetes:apiserver", - "channel": "get/list requests to /api/v1/secrets or /api/v1/namespaces/*/serviceaccounts" - }, - { - "name": "auditd:SYSCALL", - "channel": "pam_authenticate, sshd" - }, - { - "name": "macos:unifiedlog", - "channel": "log show --predicate 'eventMessage contains \"Authentication\"'" - }, - { - "name": "esxi:vpxd", - "channel": "/var/log/vmware/vpxd.log" - }, { "name": "azure:signinlogs", "channel": "Unusual Token Usage or Application Consent" }, - { - "name": "networkdevice:syslog", - "channel": "Failed and successful logins to network devices outside approved admin IP ranges" - }, { "name": "azure:signinlogs", "channel": "OperationName=SetDomainAuthentication OR Set-FederatedDomain" }, - { - "name": "network:auth", - "channel": "repeated successful authentications with previously unknown accounts or anomalous password acceptance" - }, { "name": "azure:signinlogs", "channel": "Sign-in with unfamiliar location/device + portal navigation" }, + { + "name": "azure:signinlogs", + "channel": "Login from newly created account" + }, + { + "name": "azure:signinlogs", + "channel": "Interactive/Non-Interactive Sign-In" + }, + { + "name": "azure:signinlogs", + "channel": "Reset password or download key from portal" + }, + { + "name": "azure:signinlogs", + "channel": "status = failure" + }, + { + "name": "azure:signinlogs", + "channel": "Sign-in logs" + }, + { + "name": "azure:signinlogs", + "channel": "SigninSuccess" + }, + { + "name": "azure:signinlogs", + "channel": "Failure Reason + UserPrincipalName" + }, + { + "name": "azure:signinlogs", + "channel": "Sign-in activity" + }, + { + "name": "azure:signinlogs", + "channel": "Sign-in logs / audit events" + }, + { + "name": "esxi:auth", + "channel": "interactive shell or SSH access preceding storage enumeration" + }, + { + "name": "esxi:auth", + "channel": "/var/log/auth.log" + }, + { + "name": "esxi:auth", + "channel": "SSH session/login" + }, + { + "name": "esxi:vpxa", + "channel": "user login from unexpected IP or non-admin user role" + }, + { + "name": "esxi:vpxd", + "channel": "/var/log/vmware/vpxd.log" + }, + { + "name": "ESXiLogs:authlog", + "channel": "Unexpected login followed by encoding commands" + }, + { + "name": "gcp:audit", + "channel": "drive.activity" + }, + { + "name": "gcp:audit", + "channel": "login.event" + }, + { + "name": "gcp:audit", + "channel": "Sign-in logs / audit events" + }, + { + "name": "gcp:workspaceaudit", + "channel": "Token Generation via Domain Delegation" + }, + { + "name": "GCPAuditLogs:login.googleapis.com", + "channel": "Failed sign-in events" + }, + { + "name": "kubernetes:apiserver", + "channel": "get/list requests to /api/v1/secrets or /api/v1/namespaces/*/serviceaccounts" + }, + { + "name": "kubernetes:apiserver", + "channel": "authentication.k8s.io/v1beta1" + }, + { + "name": "kubernetes:audit", + "channel": "Failed login" + }, + { + "name": "kubernetes:audit", + "channel": "authentication.k8s.io" + }, + { + "name": "linux:auth", + "channel": "sshd login" + }, + { + "name": "linux:syslog", + "channel": "sudo/date/timedatectl execution by non-standard users" + }, + { + "name": "linux:syslog", + "channel": "SSH failed login" + }, + { + "name": "linux:syslog", + "channel": "Failed password for invalid user" + }, + { + "name": "linux:syslog", + "channel": "sshd[pid]: Failed password" + }, + { + "name": "linux:syslog", + "channel": "authentication and authorization events during environmental validation phase" + }, + { + "name": "m365:exchange", + "channel": "Logon failure" + }, + { + "name": "m365:exchange", + "channel": "FailedLogin" + }, + { + "name": "m365:signinlogs", + "channel": "Sign-in from anomalous location or impossible travel condition" + }, { "name": "m365:signinlogs", "channel": "UserLoginSuccess" }, { - "name": "saas:salesforce", - "channel": "Login" + "name": "m365:signinlogs", + "channel": "Unusual sign-in from service principal to user mailbox" + }, + { + "name": "m365:unified", + "channel": "Delegated permission grants without user login event" + }, + { + "name": "m365:unified", + "channel": "login using refresh_token with no preceding authentication context" + }, + { + "name": "m365:unified", + "channel": "Sign-in logs" + }, + { + "name": "macos:unifiedlog", + "channel": "successful sudo or authentication for account not normally associated with admin actions" + }, + { + "name": "macos:unifiedlog", + "channel": "Login success without MFA step" + }, + { + "name": "macos:unifiedlog", + "channel": "log show --predicate 'eventMessage contains \"Authentication\"'" + }, + { + "name": "macos:unifiedlog", + "channel": "User credential prompt events without associated trusted installer package" + }, + { + "name": "macos:unifiedlog", + "channel": "Login failure / authorization denied" + }, + { + "name": "macos:unifiedlog", + "channel": "auth" + }, + { + "name": "macos:unifiedlog", + "channel": "Login Window and Authd errors" + }, + { + "name": "macos:unifiedlog", + "channel": "authd" + }, + { + "name": "network:auth", + "channel": "repeated successful authentications with previously unknown accounts or anomalous password acceptance" + }, + { + "name": "networkdevice:syslog", + "channel": "config access, authentication logs" + }, + { + "name": "networkdevice:syslog", + "channel": "User privilege escalation to level 15/root prior to destructive commands" + }, + { + "name": "networkdevice:syslog", + "channel": "authorization/accounting logs" + }, + { + "name": "networkdevice:syslog", + "channel": "Failed and successful logins to network devices outside approved admin IP ranges" }, { "name": "networkdevice:syslog", @@ -219,166 +324,74 @@ "name": "networkdevice:syslog", "channel": "Privileged login followed by destructive command sequence" }, - { - "name": "azure:signinlogs", - "channel": "Login from newly created account" - }, - { - "name": "auditd:SYSCALL", - "channel": "execution of ssh, scp, or sftp using previously unseen credentials or keys" - }, - { - "name": "m365:unified", - "channel": "login using refresh_token with no preceding authentication context" - }, - { - "name": "saas:googleworkspace", - "channel": "API access without user login" - }, - { - "name": "WinEventLog:Security", - "channel": "EventCode=4769" - }, - { - "name": "WinEventLog:Security", - "channel": "EventCode=4776, 4625" - }, - { - "name": "azure:signinlogs", - "channel": "Interactive/Non-Interactive Sign-In" - }, - { - "name": "AWS:CloudTrail", - "channel": "AWS IAM: ListUsers, ListRoles" - }, - { - "name": "gcp:workspaceaudit", - "channel": "Token Generation via Domain Delegation" - }, - { - "name": "m365:signinlogs", - "channel": "Unusual sign-in from service principal to user mailbox" - }, - { - "name": "macos:unifiedlog", - "channel": "User credential prompt events without associated trusted installer package" - }, - { - "name": "linux:auth", - "channel": "sshd login" - }, - { - "name": "saas:googleworkspace", - "channel": "Accessed third-party credential management service" - }, - { - "name": "azure:signinlogs", - "channel": "Reset password or download key from portal" - }, - { - "name": "linux:syslog", - "channel": "SSH failed login" - }, - { - "name": "macos:unifiedlog", - "channel": "Login failure / authorization denied" - }, - { - "name": "azure:signinlogs", - "channel": "status = failure" - }, - { - "name": "Okta:authn", - "channel": "authentication_failure" - }, - { - "name": "saas-app:auth", - "channel": "login_failure" - }, { "name": "networkdevice:syslog", "channel": "AAA, RADIUS, or TACACS authentication" }, - { - "name": "kubernetes:apiserver", - "channel": "authentication.k8s.io/v1beta1" - }, - { - "name": "m365:exchange", - "channel": "Logon failure" - }, - { - "name": "AWS:CloudTrail", - "channel": "eventName=ConsoleLogin | eventType=AwsConsoleSignIn" - }, - { - "name": "auditd:USER_LOGIN", - "channel": "USER_AUTH" - }, - { - "name": "azure:signinlogs", - "channel": "Sign-in logs" - }, - { - "name": "macos:unifiedlog", - "channel": "auth" - }, - { - "name": "m365:unified", - "channel": "Sign-in logs" - }, - { - "name": "AWS:CloudTrail", - "channel": "ConsoleLogin or AssumeRole" - }, - { - "name": "esxi:auth", - "channel": "/var/log/auth.log" - }, { "name": "networkdevice:syslog", "channel": "authentication logs" }, - { - "name": "azure:signinlogs", - "channel": "SigninSuccess" - }, - { - "name": "WinEventLog:Security", - "channel": "EventCode=4625, 4771, 4648" - }, - { - "name": "linux:syslog", - "channel": "Failed password for invalid user" - }, - { - "name": "macos:unifiedlog", - "channel": "Login Window and Authd errors" - }, - { - "name": "azure:signinlogs", - "channel": "Failure Reason + UserPrincipalName" - }, - { - "name": "saas:okta", - "channel": "authentication_failure" - }, { "name": "networkdevice:syslog", "channel": "AAA or TACACS authentication failures" }, { - "name": "kubernetes:audit", - "channel": "Failed login" + "name": "networkdevice:syslog", + "channel": "authentication & authorization" }, { - "name": "m365:exchange", - "channel": "FailedLogin" + "name": "networkdevice:syslog", + "channel": "login failed" + }, + { + "name": "NSM:Connections", + "channel": "Accepted password or publickey for user from remote IP" + }, + { + "name": "NSM:Connections", + "channel": "Repeated failed authentication attempts or replay patterns" + }, + { + "name": "NSM:Connections", + "channel": "Successful login without expected MFA challenge" + }, + { + "name": "NSM:Connections", + "channel": "sshd or PAM logins" + }, + { + "name": "NSM:Flow", + "channel": "TGS-REQ and AS-REQ seen for new user shortly after domain-modifying process" + }, + { + "name": "Okta:authn", + "channel": "authentication_failure" + }, + { + "name": "Okta:SystemLog", + "channel": "eventType: user.authentication.sso, app.oauth2.token.grant" + }, + { + "name": "saas-app:auth", + "channel": "login_failure" + }, + { + "name": "saas:audit", + "channel": "Repeated requests to SMS-generating endpoints using anomalous or new user agents, IP ranges, or geographies." }, { "name": "saas:auth", "channel": "signin_failed" }, + { + "name": "saas:googleworkspace", + "channel": "API access without user login" + }, + { + "name": "saas:googleworkspace", + "channel": "Accessed third-party credential management service" + }, { "name": "saas:googleworkspace", "channel": "login with reused session token and mismatched user agent or IP" @@ -388,72 +401,72 @@ "channel": "Access via OAuth credentials with unusual scopes or from anomalous IPs" }, { - "name": "networkdevice:syslog", - "channel": "authentication & authorization" + "name": "saas:MDM", + "channel": "Authentication events to device management or enterprise mobility management consoles" }, { - "name": "azure:signinlogs", - "channel": "Sign-in activity" + "name": "saas:MDM", + "channel": "Authentication events to Apple iCloud or enterprise device management services" }, { - "name": "AWS:CloudTrail", - "channel": "ConsoleLogin, AssumeRole, ListAccessKeys, CreateUser" + "name": "saas:okta", + "channel": "session.impersonation.start" }, { - "name": "gcp:audit", - "channel": "drive.activity" + "name": "saas:okta", + "channel": "Unusual OAuth app requesting message-read scopes for Slack/Teams/Jira" }, { - "name": "gcp:audit", - "channel": "login.event" - }, - { - "name": "linux:syslog", - "channel": "sshd[pid]: Failed password" - }, - { - "name": "macos:unifiedlog", - "channel": "authd" - }, - { - "name": "networkdevice:syslog", - "channel": "login failed" - }, - { - "name": "GCPAuditLogs:login.googleapis.com", - "channel": "Failed sign-in events" - }, - { - "name": "esxi:auth", - "channel": "SSH session/login" - }, - { - "name": "NSM:Connections", - "channel": "sshd or PAM logins" + "name": "saas:okta", + "channel": "authentication_failure" }, { "name": "saas:okta", "channel": "Sign-in logs / audit events" }, { - "name": "gcp:audit", - "channel": "Sign-in logs / audit events" + "name": "saas:okta", + "channel": "user.account.reset_password; user.mfa.factor.activate; app.oauth2.authorize" }, { - "name": "azure:signinlogs", - "channel": "Sign-in logs / audit events" + "name": "saas:salesforce", + "channel": "API login using access_token without login history" }, { - "name": "kubernetes:audit", - "channel": "authentication.k8s.io" + "name": "saas:salesforce", + "channel": "Login" + }, + { + "name": "User Account", + "channel": "None" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=4625" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=4769, 1200, 1202" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=4768, 4769, 4770" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=4769" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=4776, 4625" + }, + { + "name": "WinEventLog:Security", + "channel": "EventCode=4625, 4771, 4648" }, { "name": "WinEventLog:Security", "channel": "EventCode=4648" - }, - { - "name": "linux:syslog", - "channel": "authentication and authorization events during environmental validation phase" } ] } diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706.json index 8409ee9097..1d0fba20bd 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--16927b4d-ea98-4cbe-b569-5b2a71fbd303", + "id": "bundle--248f6dd2-58bc-4fd4-aff2-98db90fca3d1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd.json index dd8f07042b..95a68e971b 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--129fae86-9d73-4390-9f3b-d7af3a658d94", + "id": "bundle--28100796-cc0a-472f-82ba-084f4a9e70b6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1.json index 02ac621f23..a7f004cbf8 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--811ea186-d770-4fb9-9c6a-1a09fbb22ac3", + "id": "bundle--e1b5a972-8597-41b5-876a-625a5c7a99f0", "spec_version": "2.0", "objects": [ { @@ -12,23 +12,24 @@ "external_references": [ { "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datacomponents/DC0016", + "url": "https://attack.mitre.org/data-components/DC0016", "external_id": "DC0016" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-01-29T17:21:27.873Z", "name": "Module Load", "description": "When a process or program dynamically attaches a shared library, module, or plugin into its memory space. This action is typically performed to extend the functionality of an application, access shared system resources, or interact with kernel-mode components.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", - "enterprise-attack" + "enterprise-attack", + "mobile-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { @@ -186,6 +187,30 @@ { "name": "etw:Microsoft-Windows-Kernel-ImageLoad", "channel": "provider: Unsigned/user-writable image loads into msbuild.exe" + }, + { + "name": "android:logcat", + "channel": "DexClassLoader/PathClassLoader load attempt from non-standard path or recently created file" + }, + { + "name": "android:logcat", + "channel": "Short burst of file I/O followed by JNI/dlopen of a newly created .so" + }, + { + "name": "iOS:unifiedlog", + "channel": "dyld: dlopen/dyld_cache load from non-standard app-writable path" + }, + { + "name": "android:logcat", + "channel": "DexClassLoader/PathClassLoader loading from app-writable path OR reflective defineClass on byte[] payload" + }, + { + "name": "iOS:unifiedlog", + "channel": "dlopen/image load from app-writable path (tmp, Caches) outside bundled resources" + }, + { + "name": "android:logcat", + "channel": "DexClassLoader|PathClassLoader load from app-writable path OR dlopen of a freshly created .so" } ] } diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170.json index c340fa85e4..79037ee10e 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0060e737-b556-46f4-be0b-b49aa8b6ca38", + "id": "bundle--5b117d77-8bc7-4c63-99ed-a555b403a343", "spec_version": "2.0", "objects": [ { @@ -12,17 +12,16 @@ "external_references": [ { "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datacomponents/DC0063", + "url": "https://attack.mitre.org/data-components/DC0063", "external_id": "DC0063" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-03-13T23:12:09.029Z", "name": "Windows Registry Key Modification", "description": "Changes made to an existing registry key or its values. These modifications can include altering permissions, modifying stored data, or updating configuration settings.\n\n*Data Collection Measures:*\n\n- Windows Event Logs\n - Event ID 4657 - Registry Value Modified: Logs changes to registry values, including modifications to startup entries, security settings, or system configurations.\n- Sysmon (System Monitor) for Windows\n - Sysmon Event ID 13 - Registry Value Set: Captures changes to specific registry values.\n - Sysmon Event ID 14 - Registry Key & Value Renamed: Logs renaming of registry keys, which may indicate evasion attempts.\n- Endpoint Detection and Response (EDR) Solutions\n - Monitor registry modifications for suspicious behavior.", - "x_mitre_data_source_ref": "", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ @@ -32,10 +31,6 @@ "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ - { - "name": "Windows Registry", - "channel": "None" - }, { "name": "WinEventLog:Security", "channel": "EventCode=4657" diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8.json index e85b7d2a78..3d5bbed2f7 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--adf6af61-0001-4c09-8e26-81609768d137", + "id": "bundle--f89faf52-6487-4fc1-af1a-72f7f998f84f", "spec_version": "2.0", "objects": [ { @@ -19,16 +19,17 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-23T18:19:16.114Z", "name": "File Deletion", "description": "Refers to events where files are removed from a system or storage device. These events can indicate legitimate housekeeping activities or malicious actions such as attackers attempting to cover their tracks. Monitoring file deletions helps organizations identify unauthorized or suspicious activities.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", - "enterprise-attack" + "enterprise-attack", + "mobile-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { @@ -118,6 +119,18 @@ { "name": "auditd:CONFIG_CHANGE", "channel": "/etc/fstab, /etc/systemd/*" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application deletes, alters, renames, relocates, or suppresses local artifacts relevant to detection, including files, hidden media, compromise markers, or app-local evidence, before later continued execution or transfer" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application deletes package files, cleanup artifacts, or app-local state immediately before disappearance from installed inventory or runtime" + }, + { + "name": "MobileEDR:telemetry", + "channel": "application deletes, truncates, or removes user, operational, or evidence-bearing files after prior access or staging and before later continued execution or communication" } ] } diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json index 3ee361a2ee..f64b4f60ff 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6871cd2b-90e2-46e5-b2b0-e434db395069", + "id": "bundle--d5d869f4-f97f-428a-93bf-475b9a232bd8", "spec_version": "2.0", "objects": [ { @@ -19,7 +19,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-16T17:01:33.771Z", "name": "Process Metadata", "description": "Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -29,7 +29,7 @@ "mobile-attack", "enterprise-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { @@ -207,6 +207,10 @@ { "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational", "channel": "Unsigned or untrusted modules loaded during JamPlus.exe runtime" + }, + { + "name": "macos:unifiedlog", + "channel": "Crash or abnormal termination of security agent or system extension host" } ] } diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3.json index faf74a7860..17635a450a 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a0c238c7-ab06-4912-8b81-b64151d94ab6", + "id": "bundle--ce09ec17-8082-4021-be06-97a4dbd3fdff", "spec_version": "2.0", "objects": [ { @@ -12,23 +12,24 @@ "external_references": [ { "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datacomponents/DC0001", + "url": "https://attack.mitre.org/data-components/DC0001", "external_id": "DC0001" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-11-12T22:03:39.105Z", + "modified": "2026-04-09T17:05:23.355Z", "name": "Scheduled Job Creation", "description": "The establishment of a task or job that will execute at a predefined time or based on specific triggers.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack", - "enterprise-attack" + "enterprise-attack", + "mobile-attack" ], - "x_mitre_version": "2.0", + "x_mitre_version": "3.0", "x_mitre_attack_spec_version": "3.3.0", "x_mitre_log_sources": [ { @@ -94,6 +95,10 @@ { "name": "linux:cron", "channel": "Scheduled execution of unknown or unusual script/binary" + }, + { + "name": "MobiledEDR:telemetry", + "channel": "Scheduled task execution creates cache, staged payload, local output, or collected data artifact immediately after wake or job trigger" } ] } diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa.json index dc44637116..b26855815f 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--25b21a90-59b8-4a04-ba1f-201d3709e58f", + "id": "bundle--a4f21d0c-b3e5-40c5-8937-9610f76d0e60", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b.json index 4d3ea52bce..8f00406082 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--74694e48-dbc2-460b-be8d-118707743bf8", + "id": "bundle--b9162fbe-e0b0-4cd0-8c4c-2d65c1a68602", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6.json index 7a459e8a1c..c3fcd34163 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--53f143b2-5e9b-49cf-a110-ce6201176514", + "id": "bundle--5a9bc828-5cd7-40a9-b823-bbcf3f8b58e4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0.json index c6a6456d89..0ee665b906 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0351227f-d01f-49e5-8c9f-1ec090fcf120", + "id": "bundle--2d8a302d-16e5-4cf1-a04c-e61cade2d26d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e.json index d43fc8f304..77d2e82526 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d5d42676-2c01-4141-8c26-24741a4b203e", + "id": "bundle--c618bf57-d0d6-4847-9b2a-6d0f5f1d8cf5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552.json index d6509b234a..04d43f8fa1 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ba5ce24c-78b1-47cd-ae97-711ba38bb9fe", + "id": "bundle--7018e4c7-e24d-4454-bfd9-b550d388ef05", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4.json index 23d65713e6..c4019af5fc 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e540fb07-8909-4cbc-b1c2-70bd8647e1d4", + "id": "bundle--df8a009a-8c0a-4f8d-aa41-cb9eb304bb7d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891.json index bc10c2412a..40e46d1c86 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4687ac1d-34d6-4175-a9a1-06211991e7f0", + "id": "bundle--3099806c-61f1-4c1b-a379-0e4929afe311", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9.json index c4cc35034b..0f1e7d9039 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--57f83934-bb73-4c3d-b967-1514dfbf1a2f", + "id": "bundle--f9f061a8-6d55-4467-9a06-ec3f87ffbc13", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065.json index dc8d33a8d5..9d1fc2a578 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--09b345e8-5cdb-4cfc-af84-70d3f123bad0", + "id": "bundle--0669550e-4e8c-46dd-bbe4-52806aa93849", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json index 30374cde0c..b5c33e89ae 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f4c73096-3632-48e5-b6eb-a7617f7c426b", + "id": "bundle--5869a6ac-7788-4bee-8c3c-34ef756aa1fa", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c.json index 3f391714f0..6ef7f709b3 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b4c7b637-9906-4b56-954e-c3fdca82a6ad", + "id": "bundle--4d0986fe-df79-4a91-8704-5901aeaf457e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e.json index 2f46ff3434..5fd1f48b83 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--508adb47-24db-4ce2-930c-6515c9e1babb", + "id": "bundle--a584e210-ee5f-4879-b1d0-1e31c9b10c86", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json index 8d4521159a..cbe81f61b4 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1e12b72d-6aba-4f2e-864d-008d96ad1f23", + "id": "bundle--adf891a8-4f28-49e7-83af-6482c39936ab", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883.json index d126ca3fd5..2a99e881e2 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fae5cc8e-9b83-4260-920d-b5ebf471cc85", + "id": "bundle--da838a8f-4c4c-4afc-9c34-7f060ec68497", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f.json index 215045bf58..f6d605cc1f 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7fbe0981-851c-44a8-a6bb-1da81be3ed99", + "id": "bundle--aba2937f-a321-41b6-bf1b-74c02345473d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb.json index 04b91507bb..a2d07ae2c9 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--62e097c5-2d8a-4536-9a10-7ba7bd8c2f20", + "id": "bundle--2793c626-d82a-46fd-b46f-1587cc9c9992", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json index 8fb1a2c68d..cbf13c2078 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8a136ced-48b4-4b1a-a4cd-bf86ebaf2527", + "id": "bundle--93147ac0-a335-4a9e-b7f6-8c9c5bb1e32c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563.json index 6b261fe1ef..67c9e3378f 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--24ede24d-26da-44f1-8db8-5d025ca9df6f", + "id": "bundle--2f1b168b-a953-4fe9-abd3-b98485b4e466", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--04bcf663-e6cd-42bf-8864-f4d1ad345263.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--04bcf663-e6cd-42bf-8864-f4d1ad345263.json index 35277b6e5a..4b8891059e 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--04bcf663-e6cd-42bf-8864-f4d1ad345263.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--04bcf663-e6cd-42bf-8864-f4d1ad345263.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--e72cb1e9-17d4-41e7-930b-8522068799ba", + "id": "bundle--210ac9c0-c63f-4de7-bf2b-215ec1f6f380", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--04bcf663-e6cd-42bf-8864-f4d1ad345263", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--05f7d4e4-ae99-4339-b71a-59f1e317dc6d.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--05f7d4e4-ae99-4339-b71a-59f1e317dc6d.json index 65e1fbfe52..775648cea3 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--05f7d4e4-ae99-4339-b71a-59f1e317dc6d.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--05f7d4e4-ae99-4339-b71a-59f1e317dc6d.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--d0bbe403-9400-4fd6-a366-598014e71759", + "id": "bundle--c9634805-6caf-4f8b-a56f-88c5f899ff59", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--05f7d4e4-ae99-4339-b71a-59f1e317dc6d", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--06443942-ba28-4d13-b4b4-93317d6eafa5.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--06443942-ba28-4d13-b4b4-93317d6eafa5.json index b95af845e7..e13fb21ca1 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--06443942-ba28-4d13-b4b4-93317d6eafa5.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--06443942-ba28-4d13-b4b4-93317d6eafa5.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--e1aad005-e333-4165-b953-67dcd7677d7c", + "id": "bundle--1a04a56c-0402-4c0a-8ca9-5b1fe57b5026", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--06443942-ba28-4d13-b4b4-93317d6eafa5", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--08c090e3-c56f-4a8b-80f6-307a1daf46ea.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--08c090e3-c56f-4a8b-80f6-307a1daf46ea.json index e8a2b3a926..5d3673e2ff 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--08c090e3-c56f-4a8b-80f6-307a1daf46ea.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--08c090e3-c56f-4a8b-80f6-307a1daf46ea.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--d1ebf159-910c-4591-88f1-96b1e3737973", + "id": "bundle--76455b95-b801-4139-becb-76926bb31498", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--08c090e3-c56f-4a8b-80f6-307a1daf46ea", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--09754c36-7be2-4536-aad2-a6c3568ba0e5.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--09754c36-7be2-4536-aad2-a6c3568ba0e5.json index 3b57658736..43d41ea178 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--09754c36-7be2-4536-aad2-a6c3568ba0e5.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--09754c36-7be2-4536-aad2-a6c3568ba0e5.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--6e35a83b-2afb-4f0e-b060-70ca7c1da61b", + "id": "bundle--673e0a09-43a7-4a1d-b3f0-7fc16fc37ed9", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--09754c36-7be2-4536-aad2-a6c3568ba0e5", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--09f46edf-33f9-4c23-af2f-74864c27f616.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--09f46edf-33f9-4c23-af2f-74864c27f616.json index fc8f14be6d..af0790dc01 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--09f46edf-33f9-4c23-af2f-74864c27f616.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--09f46edf-33f9-4c23-af2f-74864c27f616.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--5069c121-23af-4dba-943b-216093b05fbd", + "id": "bundle--f638bd4f-d986-4601-9a8b-ae718ec38ac0", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--09f46edf-33f9-4c23-af2f-74864c27f616", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0f2e4927-401d-430e-96ed-90feb8df1b03.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0f2e4927-401d-430e-96ed-90feb8df1b03.json index 1d8c1e727c..c86c959ea0 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0f2e4927-401d-430e-96ed-90feb8df1b03.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--0f2e4927-401d-430e-96ed-90feb8df1b03.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--a6f6e6fd-faab-4fd9-98f1-0f316dddf5ef", + "id": "bundle--ecb9fa0f-79bb-421e-975f-b26d69c75d1f", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--0f2e4927-401d-430e-96ed-90feb8df1b03", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--105c127f-2777-452e-bf61-b0786ee13861.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--105c127f-2777-452e-bf61-b0786ee13861.json index 4773cadc2b..87604c64d3 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--105c127f-2777-452e-bf61-b0786ee13861.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--105c127f-2777-452e-bf61-b0786ee13861.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--2707f5c3-0b9f-4835-825b-3632948ed98e", + "id": "bundle--94607e8f-b7b1-42a6-a777-d00b0a9d9b44", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--105c127f-2777-452e-bf61-b0786ee13861", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--13412b71-b94e-4aef-912a-44853f8bff05.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--13412b71-b94e-4aef-912a-44853f8bff05.json index 2edf3b80c7..080922b1e8 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--13412b71-b94e-4aef-912a-44853f8bff05.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--13412b71-b94e-4aef-912a-44853f8bff05.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--b77b50c5-9dd1-47e7-b09e-abc2a6faf100", + "id": "bundle--90965477-d94e-491d-a32f-59fcfb242d65", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--13412b71-b94e-4aef-912a-44853f8bff05", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--194cb4dd-81ca-4e64-94e2-911fab1219f9.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--194cb4dd-81ca-4e64-94e2-911fab1219f9.json index c352c4946f..607b538ac7 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--194cb4dd-81ca-4e64-94e2-911fab1219f9.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--194cb4dd-81ca-4e64-94e2-911fab1219f9.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--7e37c33d-b131-43d1-b5a6-473cfd3f0c27", + "id": "bundle--3fc6b7c5-0992-4186-8f74-019757ecad15", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--194cb4dd-81ca-4e64-94e2-911fab1219f9", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--1bae319f-03d8-49c9-8bb8-e4f27bb69a11.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--1bae319f-03d8-49c9-8bb8-e4f27bb69a11.json index d00fad9b8e..9620f0f1f1 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--1bae319f-03d8-49c9-8bb8-e4f27bb69a11.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--1bae319f-03d8-49c9-8bb8-e4f27bb69a11.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--a2350403-e8a1-4faa-b8fd-61caae421bce", + "id": "bundle--46a776e1-df94-4153-a469-59e91a1a6a99", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--1bae319f-03d8-49c9-8bb8-e4f27bb69a11", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--2145faf1-28da-4ebc-9730-f2e2a8764ced.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--2145faf1-28da-4ebc-9730-f2e2a8764ced.json index 9369a994ea..7c4c2c20be 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--2145faf1-28da-4ebc-9730-f2e2a8764ced.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--2145faf1-28da-4ebc-9730-f2e2a8764ced.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--70751f4a-25aa-48c4-897f-7ec58d6154e9", + "id": "bundle--4f8fb9ab-de04-4c19-8946-0194627019e8", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--2145faf1-28da-4ebc-9730-f2e2a8764ced", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--2a1619a7-dd27-48e4-b56f-806cb3d2e405.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--2a1619a7-dd27-48e4-b56f-806cb3d2e405.json index f2a5e584c1..1f05381ca8 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--2a1619a7-dd27-48e4-b56f-806cb3d2e405.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--2a1619a7-dd27-48e4-b56f-806cb3d2e405.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--94785bc1-f999-4f7e-b1cf-c0032512654d", + "id": "bundle--195288ef-f643-4a89-9dbc-a78c3f17a38a", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--2a1619a7-dd27-48e4-b56f-806cb3d2e405", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--2e99cd65-aad4-4796-9013-79837d498eb6.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--2e99cd65-aad4-4796-9013-79837d498eb6.json new file mode 100644 index 0000000000..8699a674a1 --- /dev/null +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--2e99cd65-aad4-4796-9013-79837d498eb6.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--d6c96205-0f4b-45c5-89d9-d1c2ac43042d", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--2e99cd65-aad4-4796-9013-79837d498eb6", + "created": "2026-04-23T00:09:43.016Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0913", + "external_id": "DET0913" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:31:14.045Z", + "name": "Detection of Program Download All", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--e379be82-39d7-4ae4-8557-f846ba19cd4b" + ], + "x_mitre_domains": [ + "ics-attack" + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--31773402-e407-4ed3-b86c-7a8587dc5ec9.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--31773402-e407-4ed3-b86c-7a8587dc5ec9.json new file mode 100644 index 0000000000..c134bf8815 --- /dev/null +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--31773402-e407-4ed3-b86c-7a8587dc5ec9.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--a1081461-4e6d-425f-9bd8-ab807f073baf", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--31773402-e407-4ed3-b86c-7a8587dc5ec9", + "created": "2026-04-22T17:55:10.734Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0906", + "external_id": "DET0906" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:31:24.570Z", + "name": "Detection of Siemens Project File Format Infection", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--6a510bf0-0289-4eb0-8645-89f0f4d32cf3" + ], + "x_mitre_domains": [ + "ics-attack" + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--336b9423-5543-4354-bd00-13c614ccdc96.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--336b9423-5543-4354-bd00-13c614ccdc96.json index 875f424ffa..9457d1a318 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--336b9423-5543-4354-bd00-13c614ccdc96.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--336b9423-5543-4354-bd00-13c614ccdc96.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--8d20e34d-b363-4975-aaa3-88742008e5cf", + "id": "bundle--400947f7-5156-494c-a379-4ae6a0628920", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--336b9423-5543-4354-bd00-13c614ccdc96", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--33dd1c37-1702-4de2-9712-fcc640e4b681.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--33dd1c37-1702-4de2-9712-fcc640e4b681.json index dd95ac6039..0bfafcc50b 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--33dd1c37-1702-4de2-9712-fcc640e4b681.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--33dd1c37-1702-4de2-9712-fcc640e4b681.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--581ae8f6-7d45-4c72-b76e-b16c401fac9b", + "id": "bundle--6aa25be3-560b-4e36-a17d-cd39ce4ffe08", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--33dd1c37-1702-4de2-9712-fcc640e4b681", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--37b4971d-2eb8-4f87-899c-19acaf0394bb.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--37b4971d-2eb8-4f87-899c-19acaf0394bb.json index 6df584875d..96d5865443 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--37b4971d-2eb8-4f87-899c-19acaf0394bb.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--37b4971d-2eb8-4f87-899c-19acaf0394bb.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--29f34ec8-00b4-4205-b7f6-744ee71a6c55", + "id": "bundle--bc27949c-5f25-42a2-8c05-432d3dcf022c", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--37b4971d-2eb8-4f87-899c-19acaf0394bb", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3a772c6d-fda2-404a-86aa-85a0bdbb43e9.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3a772c6d-fda2-404a-86aa-85a0bdbb43e9.json index 5a82bf21de..60c9fe6f57 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3a772c6d-fda2-404a-86aa-85a0bdbb43e9.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3a772c6d-fda2-404a-86aa-85a0bdbb43e9.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--39710f2c-5826-45b2-9ec4-c6cb177a267b", + "id": "bundle--0a034e44-27f4-4679-88d9-7bb7c8f0d8b1", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--3a772c6d-fda2-404a-86aa-85a0bdbb43e9", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3e884c49-75ca-449e-83cb-3517ee88e0f1.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3e884c49-75ca-449e-83cb-3517ee88e0f1.json index c81f05e1f6..e207c6e42e 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3e884c49-75ca-449e-83cb-3517ee88e0f1.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3e884c49-75ca-449e-83cb-3517ee88e0f1.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--e3b500f2-f186-4c30-a638-8e088852a9da", + "id": "bundle--e12941e1-94a6-4897-ab8b-6ae9e371fbc9", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--3e884c49-75ca-449e-83cb-3517ee88e0f1", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3ea60ac7-87a3-4033-9089-258941d8388a.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3ea60ac7-87a3-4033-9089-258941d8388a.json index 3356dc416a..95179cbe94 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3ea60ac7-87a3-4033-9089-258941d8388a.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--3ea60ac7-87a3-4033-9089-258941d8388a.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--8f871ec0-94ce-4a04-bb72-5f1379c31255", + "id": "bundle--a2da0878-2266-40f1-81c3-0d78ff844bdd", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--3ea60ac7-87a3-4033-9089-258941d8388a", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--441ded70-7e25-47f1-b55c-0fafb7d4f44c.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--441ded70-7e25-47f1-b55c-0fafb7d4f44c.json index 50164c65c6..5af8307b1a 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--441ded70-7e25-47f1-b55c-0fafb7d4f44c.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--441ded70-7e25-47f1-b55c-0fafb7d4f44c.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--ee62bc2a-b80b-4ea9-89cf-1b2d0aea7098", + "id": "bundle--42a54e19-6a56-473f-9907-ce109feadb88", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--441ded70-7e25-47f1-b55c-0fafb7d4f44c", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--442bf059-f7cf-460b-8200-f35e1e0a0c78.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--442bf059-f7cf-460b-8200-f35e1e0a0c78.json index 8200dbc6f2..3fa9a7fed3 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--442bf059-f7cf-460b-8200-f35e1e0a0c78.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--442bf059-f7cf-460b-8200-f35e1e0a0c78.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--a01929d3-cc2d-48c6-87b9-a3c16979da2d", + "id": "bundle--6640680f-d15e-4845-bd70-a05d62f84d07", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--442bf059-f7cf-460b-8200-f35e1e0a0c78", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--442e5dcf-7f41-4ba5-ba89-aefb0d1c63cf.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--442e5dcf-7f41-4ba5-ba89-aefb0d1c63cf.json index 5f0a7e9591..ae3befa917 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--442e5dcf-7f41-4ba5-ba89-aefb0d1c63cf.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--442e5dcf-7f41-4ba5-ba89-aefb0d1c63cf.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--fc58904d-6a46-4728-b439-1e440cce5f94", + "id": "bundle--e4a9ce32-d3e7-47fe-b6d1-560203990733", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--442e5dcf-7f41-4ba5-ba89-aefb0d1c63cf", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--47c6f72c-1f2f-4ea8-94d0-08202b7d5bdb.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--47c6f72c-1f2f-4ea8-94d0-08202b7d5bdb.json index 37755283a1..ef44f73fcc 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--47c6f72c-1f2f-4ea8-94d0-08202b7d5bdb.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--47c6f72c-1f2f-4ea8-94d0-08202b7d5bdb.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--25673d64-c46d-4b34-9073-6bb50e5d0ad2", + "id": "bundle--6721821a-e8d7-473a-93ac-903627b6799e", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--47c6f72c-1f2f-4ea8-94d0-08202b7d5bdb", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--4ea060f9-f6fc-4122-9544-70afd567ea10.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--4ea060f9-f6fc-4122-9544-70afd567ea10.json index a651f79e3f..1532cc83ae 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--4ea060f9-f6fc-4122-9544-70afd567ea10.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--4ea060f9-f6fc-4122-9544-70afd567ea10.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--241b164e-f3eb-4b39-baa3-7cf618e90c12", + "id": "bundle--f7b36678-5f2b-42cd-b771-1bd2c750f5c4", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--4ea060f9-f6fc-4122-9544-70afd567ea10", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--519082ce-24ab-4f6b-9e86-b9443758c9d4.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--519082ce-24ab-4f6b-9e86-b9443758c9d4.json index a9cd1abb8a..c865849fce 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--519082ce-24ab-4f6b-9e86-b9443758c9d4.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--519082ce-24ab-4f6b-9e86-b9443758c9d4.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--78c141e1-bb02-457c-9366-9592d75fbdc4", + "id": "bundle--fb599781-4c01-4bba-8d59-2a569219e623", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--519082ce-24ab-4f6b-9e86-b9443758c9d4", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--527668a3-cc0c-48c2-856a-a45615817366.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--527668a3-cc0c-48c2-856a-a45615817366.json new file mode 100644 index 0000000000..8786cf8bf3 --- /dev/null +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--527668a3-cc0c-48c2-856a-a45615817366.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--b21f8e71-c4a2-4e73-ba9a-3c6341060a08", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--527668a3-cc0c-48c2-856a-a45615817366", + "created": "2026-04-22T22:56:48.997Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0912", + "external_id": "DET0912" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:28:13.555Z", + "name": "Detection of Block Wi-Fi", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--0b4e7cfa-9f9d-49b0-b5bf-afdf62058c5a" + ], + "x_mitre_domains": [ + "ics-attack" + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--5604323b-6e7a-4801-91ae-4bf591f2e3ac.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--5604323b-6e7a-4801-91ae-4bf591f2e3ac.json index b5c7d160c2..ad3cad1096 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--5604323b-6e7a-4801-91ae-4bf591f2e3ac.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--5604323b-6e7a-4801-91ae-4bf591f2e3ac.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--f01271d1-4f3c-4acf-a8bd-e7933429b862", + "id": "bundle--0c5421b3-3bdb-43b2-9f6b-17454ad6dbb0", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--5604323b-6e7a-4801-91ae-4bf591f2e3ac", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--56bf71a3-a28b-4a8f-84ed-3a71449d47c0.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--56bf71a3-a28b-4a8f-84ed-3a71449d47c0.json new file mode 100644 index 0000000000..ea7d47602f --- /dev/null +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--56bf71a3-a28b-4a8f-84ed-3a71449d47c0.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--382b42b9-5b74-4b6e-82ef-e98ed14e9dc9", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--56bf71a3-a28b-4a8f-84ed-3a71449d47c0", + "created": "2026-04-22T20:46:31.212Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0909", + "external_id": "DET0909" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:30:28.263Z", + "name": "Detection of Multicast Discovery", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--67861309-0ba7-4713-843e-3def87e396ec" + ], + "x_mitre_domains": [ + "ics-attack" + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--58b4bda4-d69a-4a20-ab67-308c4451a5e8.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--58b4bda4-d69a-4a20-ab67-308c4451a5e8.json index 01f1d76ac0..b586b888f9 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--58b4bda4-d69a-4a20-ab67-308c4451a5e8.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--58b4bda4-d69a-4a20-ab67-308c4451a5e8.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--471f3b6d-d8ab-4312-9abe-606415a1d422", + "id": "bundle--c156de61-35ce-45bb-af6c-9c49f0407832", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--58b4bda4-d69a-4a20-ab67-308c4451a5e8", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--5ba60cf7-738d-4ed4-827c-8c763ad9f0f0.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--5ba60cf7-738d-4ed4-827c-8c763ad9f0f0.json index 3ea10c8e96..5b3161249c 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--5ba60cf7-738d-4ed4-827c-8c763ad9f0f0.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--5ba60cf7-738d-4ed4-827c-8c763ad9f0f0.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--5d1796be-24bc-4f8e-8c58-f0df2cd32831", + "id": "bundle--eeef4bb7-fdbf-4463-9c55-f281df8f64e7", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--5ba60cf7-738d-4ed4-827c-8c763ad9f0f0", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--60a55b7b-29a5-437e-83a7-edbe6f3c4415.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--60a55b7b-29a5-437e-83a7-edbe6f3c4415.json index e4d783e7f3..2668c527eb 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--60a55b7b-29a5-437e-83a7-edbe6f3c4415.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--60a55b7b-29a5-437e-83a7-edbe6f3c4415.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--1f1bb97a-125a-43fb-ab13-4070665a4186", + "id": "bundle--71883dd7-9138-4f21-b04b-1e2aa8ad1cf9", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--60a55b7b-29a5-437e-83a7-edbe6f3c4415", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--62587e44-0623-4b14-bd45-126430eaed4a.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--62587e44-0623-4b14-bd45-126430eaed4a.json index aa039ed21e..009b36fce9 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--62587e44-0623-4b14-bd45-126430eaed4a.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--62587e44-0623-4b14-bd45-126430eaed4a.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--9198aa2e-20f5-4cd8-9a61-27028475db5e", + "id": "bundle--8bf6a998-6d3a-4982-b81f-5a97fba2df48", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--62587e44-0623-4b14-bd45-126430eaed4a", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--636329e6-32b9-4a71-acf8-ae6d01a6b4ef.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--636329e6-32b9-4a71-acf8-ae6d01a6b4ef.json index cce951cc90..2a3b935225 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--636329e6-32b9-4a71-acf8-ae6d01a6b4ef.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--636329e6-32b9-4a71-acf8-ae6d01a6b4ef.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--3f292e94-694c-49b7-be63-38d866112ec9", + "id": "bundle--f52f8dad-abc8-4c85-a35c-f23444328c67", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--636329e6-32b9-4a71-acf8-ae6d01a6b4ef", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--67c2be08-d31a-4385-a637-9d1a907c7a26.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--67c2be08-d31a-4385-a637-9d1a907c7a26.json index 230982bec8..426704369a 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--67c2be08-d31a-4385-a637-9d1a907c7a26.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--67c2be08-d31a-4385-a637-9d1a907c7a26.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--7e454df8-ef30-4892-b1e7-b1b9d0390df1", + "id": "bundle--d860f781-8ed0-4eb8-80da-b9a640f16abd", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--67c2be08-d31a-4385-a637-9d1a907c7a26", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--6bdde391-76eb-4bd7-9e19-e805ab98b7ac.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--6bdde391-76eb-4bd7-9e19-e805ab98b7ac.json new file mode 100644 index 0000000000..e2b829af9c --- /dev/null +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--6bdde391-76eb-4bd7-9e19-e805ab98b7ac.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--abc15fd0-56f9-4057-86e0-bfbfd406dbee", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--6bdde391-76eb-4bd7-9e19-e805ab98b7ac", + "created": "2026-04-22T18:52:19.941Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0907", + "external_id": "DET0907" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:30:52.373Z", + "name": "Detection of Port Scan", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--51a094bf-b7eb-452a-9b7a-ffac16fce1ac" + ], + "x_mitre_domains": [ + "ics-attack" + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--6d2ba563-0aa9-4f64-a14d-da62b694b495.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--6d2ba563-0aa9-4f64-a14d-da62b694b495.json index 2603e5a6f1..51e6cb4aed 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--6d2ba563-0aa9-4f64-a14d-da62b694b495.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--6d2ba563-0aa9-4f64-a14d-da62b694b495.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--fb80dcf0-3049-49d5-942e-0df5e75b03e0", + "id": "bundle--fe205678-d655-44ec-9d1c-87530a26cb98", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--6d2ba563-0aa9-4f64-a14d-da62b694b495", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--6f318bab-df4a-4a51-b849-e9c2ab2f9c4c.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--6f318bab-df4a-4a51-b849-e9c2ab2f9c4c.json new file mode 100644 index 0000000000..9d901fc423 --- /dev/null +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--6f318bab-df4a-4a51-b849-e9c2ab2f9c4c.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--ea419ad8-6a7c-4b0d-9e8d-0c059978455c", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--6f318bab-df4a-4a51-b849-e9c2ab2f9c4c", + "created": "2026-04-22T15:09:30.933Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0903", + "external_id": "DET0903" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:28:00.436Z", + "name": "Detection of Block Operational Technology Message", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--c556c91d-64a0-401c-9c41-18971eeca0f2" + ], + "x_mitre_domains": [ + "ics-attack" + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--6f921aa8-deb3-4286-8101-26a7cbe80c0e.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--6f921aa8-deb3-4286-8101-26a7cbe80c0e.json index 247efd43b0..196a6bbb75 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--6f921aa8-deb3-4286-8101-26a7cbe80c0e.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--6f921aa8-deb3-4286-8101-26a7cbe80c0e.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--42507424-d53e-4192-9989-51a152361ea1", + "id": "bundle--db170f9a-2f60-4092-903e-f61ef3eebf22", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--6f921aa8-deb3-4286-8101-26a7cbe80c0e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--709e05b2-6400-43a2-9bbf-b64f6017b023.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--709e05b2-6400-43a2-9bbf-b64f6017b023.json index 3bae7aba76..a22da2e1c9 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--709e05b2-6400-43a2-9bbf-b64f6017b023.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--709e05b2-6400-43a2-9bbf-b64f6017b023.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--7d8a9b9e-936e-414d-aef1-c11534b9fd6b", + "id": "bundle--35e34d03-b7d4-4965-8dbe-14b0fba19e00", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--709e05b2-6400-43a2-9bbf-b64f6017b023", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--732d2487-3241-4866-8bb5-044bb4acdd3b.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--732d2487-3241-4866-8bb5-044bb4acdd3b.json index 2e3bb4d149..6d61f6d984 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--732d2487-3241-4866-8bb5-044bb4acdd3b.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--732d2487-3241-4866-8bb5-044bb4acdd3b.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--77b519e7-3851-481b-b1da-24fd6d65d6e6", + "id": "bundle--15cd3d74-6fae-44e6-86ee-c6e5b6baf1dd", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--732d2487-3241-4866-8bb5-044bb4acdd3b", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--73773bb8-c63b-4d48-9b48-33440f12a514.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--73773bb8-c63b-4d48-9b48-33440f12a514.json new file mode 100644 index 0000000000..b1afd055c1 --- /dev/null +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--73773bb8-c63b-4d48-9b48-33440f12a514.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--bc49c07c-9a10-4f50-9816-f93706045de2", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--73773bb8-c63b-4d48-9b48-33440f12a514", + "created": "2026-04-22T15:56:01.514Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0904", + "external_id": "DET0904" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:30:02.969Z", + "name": "Detection of Firmware Modification", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--fc6641ac-5748-4498-89e9-d4ada2b6f88a" + ], + "x_mitre_domains": [ + "ics-attack" + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--74b96bd4-dab9-494e-a540-b7c998581fd5.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--74b96bd4-dab9-494e-a540-b7c998581fd5.json index cc866e8c1e..29acf12d61 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--74b96bd4-dab9-494e-a540-b7c998581fd5.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--74b96bd4-dab9-494e-a540-b7c998581fd5.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--f10de2e4-5823-4b79-989f-0c6f54728d39", + "id": "bundle--be864d6e-8a47-4129-82cf-1dc7686c4986", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--74b96bd4-dab9-494e-a540-b7c998581fd5", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7f32731d-7800-483c-b077-c4a187a27ae5.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7f32731d-7800-483c-b077-c4a187a27ae5.json index 2a2a800a2d..c71030f8a9 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7f32731d-7800-483c-b077-c4a187a27ae5.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7f32731d-7800-483c-b077-c4a187a27ae5.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--9a62bd8c-3059-4f9a-bdb0-7734cbc79c01", + "id": "bundle--b32f685b-f50c-46b4-9fb6-8b8756e7fe69", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--7f32731d-7800-483c-b077-c4a187a27ae5", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7f41ed29-fdc6-4c28-ba10-9de1aa129f7e.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7f41ed29-fdc6-4c28-ba10-9de1aa129f7e.json index 15a51d13a1..a757f253ae 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7f41ed29-fdc6-4c28-ba10-9de1aa129f7e.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--7f41ed29-fdc6-4c28-ba10-9de1aa129f7e.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--5a46b4a9-82cc-4d04-ac0e-2c06ee95861f", + "id": "bundle--5b2ff178-2477-4274-a2e1-b85373e9c589", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--7f41ed29-fdc6-4c28-ba10-9de1aa129f7e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--825106d1-6f44-47a1-b8dd-c3e3b6cecab7.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--825106d1-6f44-47a1-b8dd-c3e3b6cecab7.json index 2c789db034..e8073ae4eb 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--825106d1-6f44-47a1-b8dd-c3e3b6cecab7.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--825106d1-6f44-47a1-b8dd-c3e3b6cecab7.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--bd7842be-a8a6-4a94-8052-8bd796c17a13", + "id": "bundle--bdf85d5e-afc0-4637-bb68-7ab41f3e4ba5", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--825106d1-6f44-47a1-b8dd-c3e3b6cecab7", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--87493fa2-bb78-4e28-b882-d79eecd10740.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--87493fa2-bb78-4e28-b882-d79eecd10740.json index 44012bd8d5..8769126dd0 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--87493fa2-bb78-4e28-b882-d79eecd10740.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--87493fa2-bb78-4e28-b882-d79eecd10740.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--1686d1b7-16ad-4988-9304-6e56e0edcfed", + "id": "bundle--f2bad2bc-2f17-4ac5-8a7c-2ecee133c7f1", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--87493fa2-bb78-4e28-b882-d79eecd10740", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--887ae691-a519-4b68-af26-bcea1483cef7.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--887ae691-a519-4b68-af26-bcea1483cef7.json index 24f498ed8e..25c7d0e919 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--887ae691-a519-4b68-af26-bcea1483cef7.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--887ae691-a519-4b68-af26-bcea1483cef7.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--b33eab48-5ec8-4564-a292-d1c53643a4d6", + "id": "bundle--a529b691-3a25-47d7-ad99-2203582c76ac", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--887ae691-a519-4b68-af26-bcea1483cef7", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--89e95503-b02c-43da-90b3-15584b27e6d6.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--89e95503-b02c-43da-90b3-15584b27e6d6.json index 4b6384daf4..924a2a0251 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--89e95503-b02c-43da-90b3-15584b27e6d6.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--89e95503-b02c-43da-90b3-15584b27e6d6.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--7e42680a-6343-4bcc-91ab-d72cc8228251", + "id": "bundle--ac48a813-4805-49cb-a5e8-59fe396aff26", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--89e95503-b02c-43da-90b3-15584b27e6d6", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--8ae936b6-b635-4104-bd11-81c18d90cf97.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--8ae936b6-b635-4104-bd11-81c18d90cf97.json index 6307b6fa4a..01e27f3283 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--8ae936b6-b635-4104-bd11-81c18d90cf97.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--8ae936b6-b635-4104-bd11-81c18d90cf97.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--f0c01457-a819-4708-a17c-ba1742969a9b", + "id": "bundle--b6540047-f2d2-436d-9842-659895079003", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--8ae936b6-b635-4104-bd11-81c18d90cf97", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--930b268b-abf0-485f-9854-60c1cfdd2d33.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--930b268b-abf0-485f-9854-60c1cfdd2d33.json index e8d58e6b07..0429c70887 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--930b268b-abf0-485f-9854-60c1cfdd2d33.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--930b268b-abf0-485f-9854-60c1cfdd2d33.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--8b2e716f-a3a1-46cb-a27e-13fb7e68965a", + "id": "bundle--4ed73630-e5c0-482b-965b-f1b444f8f7c3", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--930b268b-abf0-485f-9854-60c1cfdd2d33", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--97914ffd-b189-415e-9309-e63e3be01b1e.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--97914ffd-b189-415e-9309-e63e3be01b1e.json index 9a3a0a0016..5180002517 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--97914ffd-b189-415e-9309-e63e3be01b1e.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--97914ffd-b189-415e-9309-e63e3be01b1e.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--8527b526-5f07-4e7a-8659-e4842e1dd114", + "id": "bundle--c8ecb613-a51a-44ba-9488-11e9c68e3de6", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--97914ffd-b189-415e-9309-e63e3be01b1e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--9ad17e7a-5920-42ac-9bf4-545b99162640.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--9ad17e7a-5920-42ac-9bf4-545b99162640.json index 9a26733765..32cfe14cc8 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--9ad17e7a-5920-42ac-9bf4-545b99162640.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--9ad17e7a-5920-42ac-9bf4-545b99162640.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--46075a71-4ce8-491c-bff9-95916a0ba604", + "id": "bundle--5c244770-966e-45bd-baa4-c04708bb711a", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--9ad17e7a-5920-42ac-9bf4-545b99162640", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--9f3df5ac-caa0-4189-9b9b-dcf2f6bbdc54.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--9f3df5ac-caa0-4189-9b9b-dcf2f6bbdc54.json index 9ef3d2682d..b6156e2b64 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--9f3df5ac-caa0-4189-9b9b-dcf2f6bbdc54.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--9f3df5ac-caa0-4189-9b9b-dcf2f6bbdc54.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--4303aec8-111b-438f-82b6-1b04e8e125d8", + "id": "bundle--9956e726-8e7c-4823-9d34-010f1d67ba60", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--9f3df5ac-caa0-4189-9b9b-dcf2f6bbdc54", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--a366d027-d797-4957-949a-870aed0766dd.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--a366d027-d797-4957-949a-870aed0766dd.json index f6d16d0b4f..1ee42a047b 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--a366d027-d797-4957-949a-870aed0766dd.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--a366d027-d797-4957-949a-870aed0766dd.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--317fbdd1-d889-4d68-a447-603ad6c85a27", + "id": "bundle--ecb1ce06-24ac-478b-97eb-f9062f446a2c", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--a366d027-d797-4957-949a-870aed0766dd", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--a995ba7c-c2c2-4d74-a3da-74e5a192099b.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--a995ba7c-c2c2-4d74-a3da-74e5a192099b.json index a40803852f..d895d8e092 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--a995ba7c-c2c2-4d74-a3da-74e5a192099b.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--a995ba7c-c2c2-4d74-a3da-74e5a192099b.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--7473d00a-ed99-4ff7-a9f4-fa9190dcbba0", + "id": "bundle--4836dc10-a497-45f1-97f9-67d03842288f", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--a995ba7c-c2c2-4d74-a3da-74e5a192099b", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ab3f0926-58e2-485e-987c-66b541d9de97.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ab3f0926-58e2-485e-987c-66b541d9de97.json index 5afb28c1cf..14a4152246 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ab3f0926-58e2-485e-987c-66b541d9de97.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ab3f0926-58e2-485e-987c-66b541d9de97.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--7100d9fb-9112-4df9-bb49-5fe6cb66a28f", + "id": "bundle--ce2c49c4-1ebf-47ac-933b-32b248054860", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--ab3f0926-58e2-485e-987c-66b541d9de97", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ad675d25-2829-48e5-8475-28f1ed5d813a.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ad675d25-2829-48e5-8475-28f1ed5d813a.json index 3e987a2960..5757cbeb4a 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ad675d25-2829-48e5-8475-28f1ed5d813a.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ad675d25-2829-48e5-8475-28f1ed5d813a.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--ecc8b3bd-3fed-4daf-b195-b0ecdb595b37", + "id": "bundle--1ded934e-4014-4571-aa6e-fd223b8bf683", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--ad675d25-2829-48e5-8475-28f1ed5d813a", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ae24274b-0e20-451e-a883-6eeb0e8e7d00.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ae24274b-0e20-451e-a883-6eeb0e8e7d00.json index 744a4fa3bb..3438216f1f 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ae24274b-0e20-451e-a883-6eeb0e8e7d00.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ae24274b-0e20-451e-a883-6eeb0e8e7d00.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--aedd9928-d229-4053-ba09-15e842849113", + "id": "bundle--f47d9d34-23f0-4f2a-b8da-bfadb3b12e12", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--ae24274b-0e20-451e-a883-6eeb0e8e7d00", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b04e83cc-8ace-4880-8953-7ce55eb8c427.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b04e83cc-8ace-4880-8953-7ce55eb8c427.json index aa6cdf774d..e29d862cfe 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b04e83cc-8ace-4880-8953-7ce55eb8c427.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b04e83cc-8ace-4880-8953-7ce55eb8c427.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--f26387d5-6b17-44cc-a7e5-1dae5c324dec", + "id": "bundle--b6c2ba23-3498-426f-83f7-67ff60ce924a", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--b04e83cc-8ace-4880-8953-7ce55eb8c427", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b25c4621-5d38-43ee-871e-0e5c02f2f48c.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b25c4621-5d38-43ee-871e-0e5c02f2f48c.json index 23d6945145..39b140fc56 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b25c4621-5d38-43ee-871e-0e5c02f2f48c.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b25c4621-5d38-43ee-871e-0e5c02f2f48c.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--7b1a48fc-7f44-4d99-909c-3161de5f394a", + "id": "bundle--bd2990aa-f9e9-4d3a-95ee-af204241a592", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--b25c4621-5d38-43ee-871e-0e5c02f2f48c", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b6a6d95c-e3b5-438d-a095-3fb0859c8f45.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b6a6d95c-e3b5-438d-a095-3fb0859c8f45.json index 9551a81247..9a4712c851 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b6a6d95c-e3b5-438d-a095-3fb0859c8f45.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b6a6d95c-e3b5-438d-a095-3fb0859c8f45.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--93130ca6-87c0-42af-a43a-9886f81225ee", + "id": "bundle--f331440f-901d-4084-9344-85d445a46c5e", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--b6a6d95c-e3b5-438d-a095-3fb0859c8f45", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b817139c-2941-4523-bfb5-10c36d230871.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b817139c-2941-4523-bfb5-10c36d230871.json index 0cff2eb057..fe079f9120 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b817139c-2941-4523-bfb5-10c36d230871.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--b817139c-2941-4523-bfb5-10c36d230871.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--188e46f6-1d36-481d-9004-c3516592e2b5", + "id": "bundle--605779e4-1f79-4b7e-b668-d4c9be9a55e6", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--b817139c-2941-4523-bfb5-10c36d230871", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--bbb288c7-9e40-46bd-b0a1-db4cfef4e1ee.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--bbb288c7-9e40-46bd-b0a1-db4cfef4e1ee.json index b3b2a4634c..62b3502c24 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--bbb288c7-9e40-46bd-b0a1-db4cfef4e1ee.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--bbb288c7-9e40-46bd-b0a1-db4cfef4e1ee.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--b89f9c28-bc90-4590-b3bb-ecebb73f581f", + "id": "bundle--23105c3c-e773-42b5-b661-ae3a11affd82", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--bbb288c7-9e40-46bd-b0a1-db4cfef4e1ee", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c0abb110-c80e-4d6a-9f27-f2783f8bbfec.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c0abb110-c80e-4d6a-9f27-f2783f8bbfec.json index 9fd3605bd7..d3d243d8db 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c0abb110-c80e-4d6a-9f27-f2783f8bbfec.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c0abb110-c80e-4d6a-9f27-f2783f8bbfec.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--831ab28b-f3a7-4713-8af7-f7018f1ed681", + "id": "bundle--9d02893f-736b-4328-a4aa-875c14a51b48", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--c0abb110-c80e-4d6a-9f27-f2783f8bbfec", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c0e6c96d-8605-407a-9bce-628e7853b07f.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c0e6c96d-8605-407a-9bce-628e7853b07f.json index a67776c584..e11d827909 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c0e6c96d-8605-407a-9bce-628e7853b07f.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c0e6c96d-8605-407a-9bce-628e7853b07f.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--0f133fa7-5c9d-49b3-a24d-6e6e4b3f730d", + "id": "bundle--21d270ba-7bef-4e74-abee-640508e3b21c", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--c0e6c96d-8605-407a-9bce-628e7853b07f", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c1645705-a26f-45b2-aa68-ff5c93dfc0f4.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c1645705-a26f-45b2-aa68-ff5c93dfc0f4.json new file mode 100644 index 0000000000..c2c703057b --- /dev/null +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c1645705-a26f-45b2-aa68-ff5c93dfc0f4.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--0250a6d9-4179-496f-a1a1-bba2467e8b05", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--c1645705-a26f-45b2-aa68-ff5c93dfc0f4", + "created": "2026-04-23T00:43:15.974Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0915", + "external_id": "DET0915" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:30:40.347Z", + "name": "Detection of Online Edit", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--22b202f2-d4dd-44dd-b5e1-791ff2aef8ed" + ], + "x_mitre_domains": [ + "ics-attack" + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c4777f1a-1481-4e8a-a3f4-0da57418c808.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c4777f1a-1481-4e8a-a3f4-0da57418c808.json index 9e206e6d0e..7fe072041f 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c4777f1a-1481-4e8a-a3f4-0da57418c808.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c4777f1a-1481-4e8a-a3f4-0da57418c808.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--9255afc5-5033-4022-bcd9-63275197c607", + "id": "bundle--dc15cb70-639d-4007-bf99-0c36d614fa98", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--c4777f1a-1481-4e8a-a3f4-0da57418c808", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c4ddc0d7-0296-4d92-9ae1-1a4b7b5d1640.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c4ddc0d7-0296-4d92-9ae1-1a4b7b5d1640.json new file mode 100644 index 0000000000..4f761da56b --- /dev/null +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c4ddc0d7-0296-4d92-9ae1-1a4b7b5d1640.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--4b28860b-f6df-4bd5-bb55-10a688e6270a", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--c4ddc0d7-0296-4d92-9ae1-1a4b7b5d1640", + "created": "2026-04-22T20:32:50.322Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0908", + "external_id": "DET0908" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:29:42.421Z", + "name": "Detection of Broadcast Discovery", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--f6324642-d17d-49d4-90b2-bab9d229d6fa" + ], + "x_mitre_domains": [ + "ics-attack" + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c7737640-99e8-4efb-90ee-39332b623b33.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c7737640-99e8-4efb-90ee-39332b623b33.json index cc7b125059..b5c3055304 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c7737640-99e8-4efb-90ee-39332b623b33.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c7737640-99e8-4efb-90ee-39332b623b33.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--dd48e1c0-98b4-435c-a628-0d99c1da798f", + "id": "bundle--cb872c1b-2b79-4c4e-a9d1-96f0831ace9d", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--c7737640-99e8-4efb-90ee-39332b623b33", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c779ee07-ee85-42fe-a2c1-14ce25766cdf.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c779ee07-ee85-42fe-a2c1-14ce25766cdf.json new file mode 100644 index 0000000000..8361225f0c --- /dev/null +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c779ee07-ee85-42fe-a2c1-14ce25766cdf.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--619a42cb-6806-4ff4-bb64-3e006386502a", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--c779ee07-ee85-42fe-a2c1-14ce25766cdf", + "created": "2026-04-22T21:48:05.256Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0910", + "external_id": "DET0910" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:27:42.639Z", + "name": "Detection of Block Communications", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--3f052beb-d384-4ebe-b942-2c4ddeb95833" + ], + "x_mitre_domains": [ + "ics-attack" + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c7aea5e8-cd8b-4f79-be41-3a446cdde7b7.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c7aea5e8-cd8b-4f79-be41-3a446cdde7b7.json index 12274bbb51..8242beb99a 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c7aea5e8-cd8b-4f79-be41-3a446cdde7b7.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c7aea5e8-cd8b-4f79-be41-3a446cdde7b7.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--dce7a4ee-8d1b-4ac0-8a5c-b52cf6afb94b", + "id": "bundle--38ef6c26-7b68-4791-a988-f956ed6fbbda", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--c7aea5e8-cd8b-4f79-be41-3a446cdde7b7", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c94af5cb-61c3-4180-81e7-30c1669f4252.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c94af5cb-61c3-4180-81e7-30c1669f4252.json index 245d352e81..a427e38e4b 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c94af5cb-61c3-4180-81e7-30c1669f4252.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--c94af5cb-61c3-4180-81e7-30c1669f4252.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--3b543b40-c299-42b9-b7a3-ff4829afb161", + "id": "bundle--93dc9a15-4484-4a09-9346-731a9542b851", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--c94af5cb-61c3-4180-81e7-30c1669f4252", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--cb273244-c117-4e32-afc7-f72f4e44e179.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--cb273244-c117-4e32-afc7-f72f4e44e179.json index ace49b2976..4976276812 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--cb273244-c117-4e32-afc7-f72f4e44e179.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--cb273244-c117-4e32-afc7-f72f4e44e179.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--bc6a2a40-66f3-4634-a294-3c12577aa3e2", + "id": "bundle--2afb15c3-f951-4e6b-ae4c-c47b95007d89", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--cb273244-c117-4e32-afc7-f72f4e44e179", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--d8cb1dd3-8bf2-48e7-99db-473481b823a8.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--d8cb1dd3-8bf2-48e7-99db-473481b823a8.json index c588f56872..5c6b6604b7 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--d8cb1dd3-8bf2-48e7-99db-473481b823a8.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--d8cb1dd3-8bf2-48e7-99db-473481b823a8.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--490b41c9-87aa-47cc-95c1-0284e1865f89", + "id": "bundle--8125f6eb-36bc-4fbc-a72d-910fa621aa89", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--d8cb1dd3-8bf2-48e7-99db-473481b823a8", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--d9469edc-7e55-41bc-8b17-a8db9fc6302e.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--d9469edc-7e55-41bc-8b17-a8db9fc6302e.json index 44bcd91798..e3d3782eeb 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--d9469edc-7e55-41bc-8b17-a8db9fc6302e.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--d9469edc-7e55-41bc-8b17-a8db9fc6302e.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--a151599a-cca0-4074-99c0-a5742345b4c7", + "id": "bundle--6fb046b9-876e-4c28-8fe7-1a6cfe501660", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--d9469edc-7e55-41bc-8b17-a8db9fc6302e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--de675cf4-144e-485c-a761-c72ebcb9e2bc.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--de675cf4-144e-485c-a761-c72ebcb9e2bc.json index 871eb0bed5..a08fbcc489 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--de675cf4-144e-485c-a761-c72ebcb9e2bc.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--de675cf4-144e-485c-a761-c72ebcb9e2bc.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--cc5fc13d-1cfb-4297-a4a8-bbbb64d376c9", + "id": "bundle--ce4e51d7-b397-4b02-89d2-de048d863436", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--de675cf4-144e-485c-a761-c72ebcb9e2bc", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--e69d1e15-76e1-434c-bd45-0354a10dde8a.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--e69d1e15-76e1-434c-bd45-0354a10dde8a.json index 2d61739997..cc76404227 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--e69d1e15-76e1-434c-bd45-0354a10dde8a.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--e69d1e15-76e1-434c-bd45-0354a10dde8a.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--208d6ac3-3a03-4465-8e45-9232675c5b44", + "id": "bundle--bf7ff7f4-7417-4a78-ac94-c14f6a6d5f14", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--e69d1e15-76e1-434c-bd45-0354a10dde8a", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--e6bc5359-4bd4-4688-9136-ac7a6b561f56.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--e6bc5359-4bd4-4688-9136-ac7a6b561f56.json index 886a014230..9b8beed598 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--e6bc5359-4bd4-4688-9136-ac7a6b561f56.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--e6bc5359-4bd4-4688-9136-ac7a6b561f56.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--d8b69df0-301e-4de6-86a6-5cef41071f88", + "id": "bundle--fcb68d0f-a66f-4dd6-89c5-1a70517253f9", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--e6bc5359-4bd4-4688-9136-ac7a6b561f56", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--e8b537e6-04eb-4168-a206-88cc041edf50.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--e8b537e6-04eb-4168-a206-88cc041edf50.json index 0ba907e622..c4c61c9adc 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--e8b537e6-04eb-4168-a206-88cc041edf50.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--e8b537e6-04eb-4168-a206-88cc041edf50.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--c2776be0-f66c-4452-a79e-2d5b8682803d", + "id": "bundle--97ec50eb-d915-4b6a-94bf-e57508e36100", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--e8b537e6-04eb-4168-a206-88cc041edf50", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--e90f1c0c-f2c5-4fe1-942f-411574df043f.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--e90f1c0c-f2c5-4fe1-942f-411574df043f.json new file mode 100644 index 0000000000..4e237680d5 --- /dev/null +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--e90f1c0c-f2c5-4fe1-942f-411574df043f.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--9b89404e-9424-4f86-b0bf-9a6b801713db", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--e90f1c0c-f2c5-4fe1-942f-411574df043f", + "created": "2026-04-23T00:32:34.211Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0914", + "external_id": "DET0914" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:31:02.396Z", + "name": "Detection of Program Append", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--3c6aa6f7-29e9-41d9-8500-30b6d0533d64" + ], + "x_mitre_domains": [ + "ics-attack" + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--e9f6c9ad-7368-43e3-9ba1-c9261323a1d1.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--e9f6c9ad-7368-43e3-9ba1-c9261323a1d1.json index 8e3eae5fb5..049aa94d5a 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--e9f6c9ad-7368-43e3-9ba1-c9261323a1d1.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--e9f6c9ad-7368-43e3-9ba1-c9261323a1d1.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--ba50d472-d875-4bae-987e-5d7e9ec90812", + "id": "bundle--149c1ddf-8eb9-4578-bc90-5da44c6d8f42", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--e9f6c9ad-7368-43e3-9ba1-c9261323a1d1", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--eabde43f-1872-499d-9642-85a6959c4d28.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--eabde43f-1872-499d-9642-85a6959c4d28.json index b8f7871d3f..73b7f36a0d 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--eabde43f-1872-499d-9642-85a6959c4d28.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--eabde43f-1872-499d-9642-85a6959c4d28.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--d460bde8-fd45-4b5d-9f44-a61b3816ba3f", + "id": "bundle--3c511791-bd8f-4275-9598-6f112277ab81", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--eabde43f-1872-499d-9642-85a6959c4d28", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ec442b22-3dc8-4b2b-8294-b76b0f01d748.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ec442b22-3dc8-4b2b-8294-b76b0f01d748.json index a45d906c83..a9a1c46d30 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ec442b22-3dc8-4b2b-8294-b76b0f01d748.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ec442b22-3dc8-4b2b-8294-b76b0f01d748.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--2d50b916-2960-495b-8fb3-6b8b37ff9413", + "id": "bundle--8ea09856-e925-4954-b551-5aa91102edae", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--ec442b22-3dc8-4b2b-8294-b76b0f01d748", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--edf989d8-7e25-4ed2-b289-a55dee68a75e.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--edf989d8-7e25-4ed2-b289-a55dee68a75e.json index 582681d4a9..556c6999b4 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--edf989d8-7e25-4ed2-b289-a55dee68a75e.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--edf989d8-7e25-4ed2-b289-a55dee68a75e.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--fec57dc1-4fa1-448d-b51d-cd58962ce9d7", + "id": "bundle--efda2bac-f6a7-4c64-8ae9-70dcae7746a3", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--edf989d8-7e25-4ed2-b289-a55dee68a75e", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f1a7e304-d05f-4e48-89b7-8b034f507c32.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f1a7e304-d05f-4e48-89b7-8b034f507c32.json index 16a47f319b..128889cac4 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f1a7e304-d05f-4e48-89b7-8b034f507c32.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f1a7e304-d05f-4e48-89b7-8b034f507c32.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--816a4a6a-948d-4e02-9714-f2b5ca143588", + "id": "bundle--e1f9346c-b500-4cbf-9eec-f28fc0e301d1", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--f1a7e304-d05f-4e48-89b7-8b034f507c32", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f487a605-0acb-4b12-b157-33b75ebd9a40.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f487a605-0acb-4b12-b157-33b75ebd9a40.json new file mode 100644 index 0000000000..5db4a0929a --- /dev/null +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f487a605-0acb-4b12-b157-33b75ebd9a40.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--937e5f6b-01de-47c2-ab60-1932125e498f", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--f487a605-0acb-4b12-b157-33b75ebd9a40", + "created": "2026-04-22T14:32:49.664Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0902", + "external_id": "DET0902" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:31:37.796Z", + "name": "Detection of Unauthorized Message", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--613b28ef-88dd-4008-8d7e-206ce55a7cde" + ], + "x_mitre_domains": [ + "ics-attack" + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f4f3b9a6-2de0-45a5-8936-2ad9288191b9.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f4f3b9a6-2de0-45a5-8936-2ad9288191b9.json index 76e7adb260..eac7530d49 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f4f3b9a6-2de0-45a5-8936-2ad9288191b9.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f4f3b9a6-2de0-45a5-8936-2ad9288191b9.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--3cc37527-04de-430e-ae84-7712ddddd467", + "id": "bundle--d49e5a04-7ade-4a2d-9eb5-46ead62915f7", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--f4f3b9a6-2de0-45a5-8936-2ad9288191b9", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f9b7143b-ce86-4cfb-a03a-f39c01904fb1.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f9b7143b-ce86-4cfb-a03a-f39c01904fb1.json index 5cf0fd33da..99606414c3 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f9b7143b-ce86-4cfb-a03a-f39c01904fb1.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f9b7143b-ce86-4cfb-a03a-f39c01904fb1.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--ce218a2c-6ea5-411b-8466-9a7759b105df", + "id": "bundle--fd7386e9-d78b-4f1d-af34-d6f48781ac9a", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--f9b7143b-ce86-4cfb-a03a-f39c01904fb1", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f9ea25e7-6e63-4ef1-a8ad-47a4a261e175.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f9ea25e7-6e63-4ef1-a8ad-47a4a261e175.json index 0ae3480509..5b64f09eab 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f9ea25e7-6e63-4ef1-a8ad-47a4a261e175.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--f9ea25e7-6e63-4ef1-a8ad-47a4a261e175.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--8ec8b404-72eb-495f-831b-2be6c1431aa4", + "id": "bundle--2f3f9d5a-9f98-4543-bdb4-62963dcbb9b4", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--f9ea25e7-6e63-4ef1-a8ad-47a4a261e175", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--fb0931d5-8eb9-4db2-a2a4-447c32b29bd4.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--fb0931d5-8eb9-4db2-a2a4-447c32b29bd4.json index 89f2b413cf..4dc8cc83b1 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--fb0931d5-8eb9-4db2-a2a4-447c32b29bd4.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--fb0931d5-8eb9-4db2-a2a4-447c32b29bd4.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--815e5d29-199a-4149-a329-fc4ad137e0e5", + "id": "bundle--33c54fa2-8af2-4a5f-ad22-8a9d5c4457ef", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--fb0931d5-8eb9-4db2-a2a4-447c32b29bd4", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--fddbd892-faa2-40e1-b40d-2c6e33c00f14.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--fddbd892-faa2-40e1-b40d-2c6e33c00f14.json index 150e98608a..b699190d48 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--fddbd892-faa2-40e1-b40d-2c6e33c00f14.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--fddbd892-faa2-40e1-b40d-2c6e33c00f14.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--b3c3c0bb-6c02-40f0-bff7-fe979b9d6a62", + "id": "bundle--160f7383-f161-4a4b-b2e3-5caf41157a84", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--fddbd892-faa2-40e1-b40d-2c6e33c00f14", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--fe11c904-752f-40e2-b269-c53bbb29541a.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--fe11c904-752f-40e2-b269-c53bbb29541a.json index 0820cb7605..baa1936d87 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--fe11c904-752f-40e2-b269-c53bbb29541a.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--fe11c904-752f-40e2-b269-c53bbb29541a.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--e6236aa5-6450-4d68-ac78-1b693db50cd3", + "id": "bundle--c08c974a-d9f7-4c94-a5af-5c01fc5dbb8c", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--fe11c904-752f-40e2-b269-c53bbb29541a", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--feb80c7a-96cd-4300-b344-4d75b176c9cb.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--feb80c7a-96cd-4300-b344-4d75b176c9cb.json new file mode 100644 index 0000000000..59b57d4924 --- /dev/null +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--feb80c7a-96cd-4300-b344-4d75b176c9cb.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--00a9c81d-0af6-45f3-ac57-ad5e9370e25a", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--feb80c7a-96cd-4300-b344-4d75b176c9cb", + "created": "2026-04-22T22:42:31.791Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0911", + "external_id": "DET0911" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:27:51.377Z", + "name": "Detection of Block Ethernet", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--df7f8849-56a7-4e83-9fd7-a4f25227d960" + ], + "x_mitre_domains": [ + "ics-attack" + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ff6456fc-576d-4da5-b561-b58f70961b15.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ff6456fc-576d-4da5-b561-b58f70961b15.json new file mode 100644 index 0000000000..da7e124452 --- /dev/null +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ff6456fc-576d-4da5-b561-b58f70961b15.json @@ -0,0 +1,37 @@ +{ + "type": "bundle", + "id": "bundle--315e4540-e50e-4d0f-8be0-75a8084dd90e", + "spec_version": "2.0", + "objects": [ + { + "type": "x-mitre-detection-strategy", + "spec_version": "2.1", + "id": "x-mitre-detection-strategy--ff6456fc-576d-4da5-b561-b58f70961b15", + "created": "2026-04-22T16:29:50.802Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/detectionstrategies/DET0905", + "external_id": "DET0905" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2026-04-24T20:30:16.130Z", + "name": "Detection of Insecure Credentials", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.3.0", + "x_mitre_analytic_refs": [ + "x-mitre-analytic--1017530e-423d-4857-80b6-99891bf82d28" + ], + "x_mitre_domains": [ + "ics-attack" + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ffeac6e1-798f-41b1-8baf-2650d2ebe031.json b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ffeac6e1-798f-41b1-8baf-2650d2ebe031.json index 71c46018d8..fe6609b3b3 100644 --- a/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ffeac6e1-798f-41b1-8baf-2650d2ebe031.json +++ b/ics-attack/x-mitre-detection-strategy/x-mitre-detection-strategy--ffeac6e1-798f-41b1-8baf-2650d2ebe031.json @@ -1,10 +1,11 @@ { "type": "bundle", - "id": "bundle--dbdd6536-5b2e-46cb-a717-27aef1daced3", + "id": "bundle--67beb6da-73b8-4bd0-9f1e-7e4786287434", "spec_version": "2.0", "objects": [ { "type": "x-mitre-detection-strategy", + "spec_version": "2.1", "id": "x-mitre-detection-strategy--ffeac6e1-798f-41b1-8baf-2650d2ebe031", "created": "2025-10-21T15:10:28.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", diff --git a/ics-attack/x-mitre-matrix/x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7.json b/ics-attack/x-mitre-matrix/x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7.json index c8a66a3614..cbaa728cbc 100644 --- a/ics-attack/x-mitre-matrix/x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7.json +++ b/ics-attack/x-mitre-matrix/x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d6848a95-8294-4692-9d3c-1c3539afb0cf", + "id": "bundle--8aa952ae-a8ce-4dce-b05c-1c1aea410101", "spec_version": "2.0", "objects": [ { @@ -8,19 +8,20 @@ "id": "x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", - "url": "https://attack.mitre.org/matrices/ics/", + "url": "https://attack.mitre.org/matrices/ics-attack", "external_id": "ics-attack" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2025-04-25T14:39:11.147Z", + "modified": "2026-04-14T17:36:35.980Z", "name": "ATT&CK for ICS", - "description": "The full ATT&CK for ICS Matrix includes techniques spanning various ICS assets and can be used to navigate through the knowledge base.", + "description": "Below are the tactics and techniques representing the MITRE ATT&CK Matrix for ICS.", "tactic_refs": [ "x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a", "x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45", @@ -37,11 +38,8 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.2.0" + "x_mitre_attack_spec_version": "3.3.0" } ] } \ No newline at end of file diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134.json index fc312b8bc0..17d1b57f66 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--59f88612-b26a-4c3b-8cf9-f18fe6922d39", + "id": "bundle--7e09c86c-1dc6-4799-98f5-7208ef4ff17b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046.json index cc8d3c258a..73ccc28ce8 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--623daf39-46b0-465a-8331-f9b48c3cd872", + "id": "bundle--2401e111-5690-4e33-ac11-275bd79a1d39", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924.json index a81e96ec13..236857bd48 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--76b6d54a-345a-4d60-89c0-154ff8efbbd9", + "id": "bundle--ea90164f-02c3-4375-8e16-31c12d5d30b0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453.json index 744426e568..de5a81b4fb 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bcfa8ede-2811-43e4-89f5-b0eed1830994", + "id": "bundle--02cd498f-8702-47d1-8d36-ed3aad9aec47", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a.json index e3239e277d..3abe491932 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cf1cc8f9-d6e0-4545-a934-acb2bb645d02", + "id": "bundle--bd3d1f01-6cc6-4f04-9dd6-defb87553c54", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279.json index 444ef61ebd..fe818f888a 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--aebbd1a6-99c5-4063-86fe-4faaff957a98", + "id": "bundle--3d2298e4-642d-4145-a364-02d9a82eadbd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac.json index 526ade58a0..34de43bbb6 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--582de72c-3766-4ccd-97db-940084df89e4", + "id": "bundle--c7bbdafe-9a90-43ae-b02b-f252fa4f69c8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45.json index 9365811ec2..503cf26814 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--aeec05ea-162a-4911-b8cd-8ffc7f166f67", + "id": "bundle--e15a3304-cfb0-4d21-99e7-45baab69d0f1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f.json index 47eb78da5f..9893a092c1 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--068e2809-6414-4d72-9d6e-b55c488dd06c", + "id": "bundle--fa82f96d-1d35-4195-bd9b-6bd6e1180c71", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9.json index e50b2c605c..af2a682b4a 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1de61087-59a5-44c8-b019-457bec7079e8", + "id": "bundle--01ac1ea8-3431-4014-bc9f-688b6a0e7e2a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7.json index 94f9d1470f..6d3d6d8618 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a169cc53-48c8-4e66-8d99-517795329baf", + "id": "bundle--dfd1927e-bea3-4a9e-aa81-0d44b4616b59", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024.json index 236cc7dd7d..b8390b1b9c 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--275ca7d1-0952-4db3-9787-6a13604df5d9", + "id": "bundle--7652310d-3617-471e-9512-5b8d1023ffd7", "spec_version": "2.0", "objects": [ {